From be56123568072d223263a6a70a087d1e7faabb83 Mon Sep 17 00:00:00 2001 From: Tejun Heo Date: Thu, 10 Nov 2005 08:55:01 +0100 Subject: [BLOCK] fix string handling in elv_iosched_store elv_iosched_store doesn't terminate string passed from userspace if it's too long. Also, if the written length is zero (probably not possible), it accesses elevator_name[-1]. This patch fixes both bugs. Signed-off-by: Tejun Heo Signed-off-by: Jens Axboe --- block/elevator.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/block/elevator.c b/block/elevator.c index 73aa46b6db4..cacfff7418e 100644 --- a/block/elevator.c +++ b/block/elevator.c @@ -762,13 +762,15 @@ error: ssize_t elv_iosched_store(request_queue_t *q, const char *name, size_t count) { char elevator_name[ELV_NAME_MAX]; + size_t len; struct elevator_type *e; - memset(elevator_name, 0, sizeof(elevator_name)); - strncpy(elevator_name, name, sizeof(elevator_name)); + elevator_name[sizeof(elevator_name) - 1] = '\0'; + strncpy(elevator_name, name, sizeof(elevator_name) - 1); + len = strlen(elevator_name); - if (elevator_name[strlen(elevator_name) - 1] == '\n') - elevator_name[strlen(elevator_name) - 1] = '\0'; + if (len && elevator_name[len - 1] == '\n') + elevator_name[len - 1] = '\0'; e = elevator_get(elevator_name); if (!e) { -- cgit v1.2.3