summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@g5.osdl.org>2005-12-31 02:18:53 +0100
committerLinus Torvalds <torvalds@g5.osdl.org>2005-12-31 02:18:53 +0100
commit8febdd85adaa41fa1fc1cb31286210fc2cd3ed0c (patch)
tree2e1aaa5e4e68057a4e96a606e2ad0bcccedcd6df
parentInsanity avoidance in /proc (diff)
downloadlinux-8febdd85adaa41fa1fc1cb31286210fc2cd3ed0c.tar.xz
linux-8febdd85adaa41fa1fc1cb31286210fc2cd3ed0c.zip
sysctl: don't overflow the user-supplied buffer with '\0'
If the string was too long to fit in the user-supplied buffer, the sysctl layer would zero-terminate it by writing past the end of the buffer. Don't do that. Noticed by Yi Yang <yang.y.yi@gmail.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--kernel/sysctl.c4
1 files changed, 1 insertions, 3 deletions
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 9990e10192e8..ad0425a8f709 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2201,14 +2201,12 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen,
if (get_user(len, oldlenp))
return -EFAULT;
if (len) {
- l = strlen(table->data);
+ l = strlen(table->data)+1;
if (len > l) len = l;
if (len >= table->maxlen)
len = table->maxlen;
if(copy_to_user(oldval, table->data, len))
return -EFAULT;
- if(put_user(0, ((char __user *) oldval) + len))
- return -EFAULT;
if(put_user(len, oldlenp))
return -EFAULT;
}