Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8febdd85 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

sysctl: don't overflow the user-supplied buffer with '\0'



If the string was too long to fit in the user-supplied buffer,
the sysctl layer would zero-terminate it by writing past the
end of the buffer. Don't do that.

Noticed by Yi Yang <yang.y.yi@gmail.com>

Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 8b90db0d
Loading
Loading
Loading
Loading
+1 −3
Original line number Diff line number Diff line
@@ -2201,14 +2201,12 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen,
		if (get_user(len, oldlenp))
			return -EFAULT;
		if (len) {
			l = strlen(table->data);
			l = strlen(table->data)+1;
			if (len > l) len = l;
			if (len >= table->maxlen)
				len = table->maxlen;
			if(copy_to_user(oldval, table->data, len))
				return -EFAULT;
			if(put_user(0, ((char __user *) oldval) + len))
				return -EFAULT;
			if(put_user(len, oldlenp))
				return -EFAULT;
		}