summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCliff Wickman <cpw@sgi.com>2008-06-24 19:20:06 +0200
committerTony Luck <tony.luck@intel.com>2008-06-24 19:20:06 +0200
commit8097110d179b874d91c6495330c2b96c991e8c6e (patch)
tree8ca93d3c7758953f468e5b25708d68dfd732b307
parent[IA64] Fix boot failure on ia64/sn2 (diff)
downloadlinux-8097110d179b874d91c6495330c2b96c991e8c6e.tar.xz
linux-8097110d179b874d91c6495330c2b96c991e8c6e.zip
[IA64] Handle count==0 in sn2_ptc_proc_write()
The fix applied in e0c6d97c65e0784aade7e97b9411f245a6c543e7 "security hole in sn2_ptc_proc_write" didn't take into account the case where count==0 (which results in a buffer underrun when adding the trailing '\0'). Thanks to Andi Kleen for pointing this out. Signed-off-by: Cliff Wickman <cpw@sgi.com> Signed-off-by: Tony Luck <tony.luck@intel.com>
-rw-r--r--arch/ia64/sn/kernel/sn2/sn2_smp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/ia64/sn/kernel/sn2/sn2_smp.c b/arch/ia64/sn/kernel/sn2/sn2_smp.c
index 6dd886c5d860..e585f9a2afb9 100644
--- a/arch/ia64/sn/kernel/sn2/sn2_smp.c
+++ b/arch/ia64/sn/kernel/sn2/sn2_smp.c
@@ -512,7 +512,7 @@ static ssize_t sn2_ptc_proc_write(struct file *file, const char __user *user, si
int cpu;
char optstr[64];
- if (count > sizeof(optstr))
+ if (count == 0 || count > sizeof(optstr))
return -EINVAL;
if (copy_from_user(optstr, user, count))
return -EFAULT;