Commit 8097110d authored Jun 24, 2008 by Cliff Wickman Committed by Tony Luck Jun 24, 2008

[IA64] Handle count==0 in sn2_ptc_proc_write()



The fix applied in e0c6d97c
"security hole in sn2_ptc_proc_write" didn't take into account
the case where count==0 (which results in a buffer underrun
when adding the trailing '\0').  Thanks to Andi Kleen for
pointing this out.

Signed-off-by: Cliff Wickman <cpw@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>

parent 2826f8c0

arch/ia64/sn/kernel/sn2/sn2_smp.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -512,7 +512,7 @@ static ssize_t sn2_ptc_proc_write(struct file file, const char __user user, si
		int cpu;
		char optstr[64];

		if (count > sizeof(optstr))
		if (count == 0 \|\| count > sizeof(optstr))
		return -EINVAL;
		if (copy_from_user(optstr, user, count))
		return -EFAULT;