From be56123568072d223263a6a70a087d1e7faabb83 Mon Sep 17 00:00:00 2001 From: Tejun Heo Date: Thu, 10 Nov 2005 08:55:01 +0100 Subject: [PATCH] [BLOCK] fix string handling in elv_iosched_store elv_iosched_store doesn't terminate string passed from userspace if it's too long. Also, if the written length is zero (probably not possible), it accesses elevator_name[-1]. This patch fixes both bugs. Signed-off-by: Tejun Heo Signed-off-by: Jens Axboe --- block/elevator.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/block/elevator.c b/block/elevator.c index 73aa46b6db49..cacfff7418e4 100644 --- a/block/elevator.c +++ b/block/elevator.c @@ -762,13 +762,15 @@ static void elevator_switch(request_queue_t *q, struct elevator_type *new_e) ssize_t elv_iosched_store(request_queue_t *q, const char *name, size_t count) { char elevator_name[ELV_NAME_MAX]; + size_t len; struct elevator_type *e; - memset(elevator_name, 0, sizeof(elevator_name)); - strncpy(elevator_name, name, sizeof(elevator_name)); + elevator_name[sizeof(elevator_name) - 1] = '\0'; + strncpy(elevator_name, name, sizeof(elevator_name) - 1); + len = strlen(elevator_name); - if (elevator_name[strlen(elevator_name) - 1] == '\n') - elevator_name[strlen(elevator_name) - 1] = '\0'; + if (len && elevator_name[len - 1] == '\n') + elevator_name[len - 1] = '\0'; e = elevator_get(elevator_name); if (!e) {