elv_iosched_store doesn't terminate string passed from userspace if
it's too long. Also, if the written length is zero (probably not
possible), it accesses elevator_name[-1]. This patch fixes both bugs.
Signed-off-by: Tejun Heo <[email protected]>
diff --git a/block/elevator.c b/block/elevator.c
--- a/block/elevator.c
+++ b/block/elevator.c
@@ -744,13 +744,15 @@ error:
ssize_t elv_iosched_store(request_queue_t *q, const char *name, size_t count)
{
char elevator_name[ELV_NAME_MAX];
+ size_t len;
struct elevator_type *e;
memset(elevator_name, 0, sizeof(elevator_name));
- strncpy(elevator_name, name, sizeof(elevator_name));
+ strncpy(elevator_name, name, sizeof(elevator_name) - 1);
+ len = strlen(elevator_name);
- if (elevator_name[strlen(elevator_name) - 1] == '\n')
- elevator_name[strlen(elevator_name) - 1] = '\0';
+ if (len && elevator_name[len - 1] == '\n')
+ elevator_name[len - 1] = '\0';
e = elevator_get(elevator_name);
if (!e) {
elv_iosched_store doesn't terminate string passed from userspace if
it's too long. Also, if the written length is zero (probably not
possible), it accesses elevator_name[-1]. This patch fixes both bugs.
Signed-off-by: Tejun Heo <[email protected]>
Cc: Bernd Petrovitsch <[email protected]>
---
In a private mail, Bernd Petrovitsch pointed out that memset can be
replaced with elevator_name[sizeof(elevator_name) - 1] = '\0'.
Thanks.
diff --git a/block/elevator.c b/block/elevator.c
--- a/block/elevator.c
+++ b/block/elevator.c
@@ -744,13 +744,15 @@ error:
ssize_t elv_iosched_store(request_queue_t *q, const char *name, size_t count)
{
char elevator_name[ELV_NAME_MAX];
+ size_t len;
struct elevator_type *e;
- memset(elevator_name, 0, sizeof(elevator_name));
- strncpy(elevator_name, name, sizeof(elevator_name));
+ elevator_name[sizeof(elevator_name) - 1] = '\0';
+ strncpy(elevator_name, name, sizeof(elevator_name) - 1);
+ len = strlen(elevator_name);
- if (elevator_name[strlen(elevator_name) - 1] == '\n')
- elevator_name[strlen(elevator_name) - 1] = '\0';
+ if (len && elevator_name[len - 1] == '\n')
+ elevator_name[len - 1] = '\0';
e = elevator_get(elevator_name);
if (!e) {
On Thu, Nov 10 2005, Tejun Heo wrote:
> elv_iosched_store doesn't terminate string passed from userspace if
> it's too long. Also, if the written length is zero (probably not
> possible), it accesses elevator_name[-1]. This patch fixes both bugs.
>
> Signed-off-by: Tejun Heo <[email protected]>
> Cc: Bernd Petrovitsch <[email protected]>
Thanks applied.
--
Jens Axboe