diff options
author | Tejun Heo <htejun@gmail.com> | 2005-11-10 08:55:01 +0100 |
---|---|---|
committer | Jens Axboe <axboe@nelson.home.kernel.dk> | 2005-11-12 10:56:21 +0100 |
commit | be56123568072d223263a6a70a087d1e7faabb83 (patch) | |
tree | e6044bff3c9dba3392dfe1a4b172d87081d55334 /block | |
parent | 15853af9f07673680439b224519c692f1352b959 (diff) | |
download | linux-be56123568072d223263a6a70a087d1e7faabb83.tar.gz linux-be56123568072d223263a6a70a087d1e7faabb83.tar.xz |
[BLOCK] fix string handling in elv_iosched_store
elv_iosched_store doesn't terminate string passed from userspace if
it's too long. Also, if the written length is zero (probably not
possible), it accesses elevator_name[-1]. This patch fixes both bugs.
Signed-off-by: Tejun Heo <htejun@gmail.com>
Signed-off-by: Jens Axboe <axboe@suse.de>
Diffstat (limited to 'block')
-rw-r--r-- | block/elevator.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/block/elevator.c b/block/elevator.c index 73aa46b6db49..cacfff7418e4 100644 --- a/block/elevator.c +++ b/block/elevator.c @@ -762,13 +762,15 @@ error: ssize_t elv_iosched_store(request_queue_t *q, const char *name, size_t count) { char elevator_name[ELV_NAME_MAX]; + size_t len; struct elevator_type *e; - memset(elevator_name, 0, sizeof(elevator_name)); - strncpy(elevator_name, name, sizeof(elevator_name)); + elevator_name[sizeof(elevator_name) - 1] = '\0'; + strncpy(elevator_name, name, sizeof(elevator_name) - 1); + len = strlen(elevator_name); - if (elevator_name[strlen(elevator_name) - 1] == '\n') - elevator_name[strlen(elevator_name) - 1] = '\0'; + if (len && elevator_name[len - 1] == '\n') + elevator_name[len - 1] = '\0'; e = elevator_get(elevator_name); if (!e) { |