Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / mainline / linux / 8febdd85adaa41fa1fc1cb31286210fc2cd3ed0c^! / .
commit8febdd85adaa41fa1fc1cb31286210fc2cd3ed0c[log] [tgz]
authorLinus Torvalds <torvalds@g5.osdl.org>Fri Dec 30 17:18:53 2005 -0800
committerLinus Torvalds <torvalds@g5.osdl.org>Fri Dec 30 17:18:53 2005 -0800
tree2e1aaa5e4e68057a4e96a606e2ad0bcccedcd6df
parent8b90db0df7187a01fb7177f1f812123138f562cf [diff]
sysctl: don't overflow the user-supplied buffer with '\0'

If the string was too long to fit in the user-supplied buffer,
the sysctl layer would zero-terminate it by writing past the
end of the buffer. Don't do that.

Noticed by Yi Yang <yang.y.yi@gmail.com>

Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 9990e10..ad0425a 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c

@@ -2201,14 +2201,12 @@
 		if (get_user(len, oldlenp))
 			return -EFAULT;
 		if (len) {
-			l = strlen(table->data);
+			l = strlen(table->data)+1;
 			if (len > l) len = l;
 			if (len >= table->maxlen)
 				len = table->maxlen;
 			if(copy_to_user(oldval, table->data, len))
 				return -EFAULT;
-			if(put_user(0, ((char __user *) oldval) + len))
-				return -EFAULT;
 			if(put_user(len, oldlenp))
 				return -EFAULT;
 		}