commit 8febdd85adaa41fa1fc1cb31286210fc2cd3ed0c

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

sysctl: don't overflow the user-supplied buffer with '\0'

If the string was too long to fit in the user-supplied buffer,
the sysctl layer would zero-terminate it by writing past the
end of the buffer. Don't do that.

Noticed by Yi Yang <yang.y.yi@gmail.com>

Signed-off-by: Linus Torvalds <torvalds@osdl.org>

Linus Torvalds 20 years ago 8febdd85 8b90db0d

+1 -3

1 changed file

expand all

unified split

kernel

sysctl.c

+1 -3

kernel/sysctl.c

··· 2201 2201 if (get_user(len, oldlenp)) 2202 2202 return -EFAULT; 2203 2203 if (len) { 2204 - l = strlen(table->data); 2204 + l = strlen(table->data)+1; 2205 2205 if (len > l) len = l; 2206 2206 if (len >= table->maxlen) 2207 2207 len = table->maxlen; 2208 2208 if(copy_to_user(oldval, table->data, len)) 2209 - return -EFAULT; 2210 - if(put_user(0, ((char __user *) oldval) + len)) 2211 2209 return -EFAULT; 2212 2210 if(put_user(len, oldlenp)) 2213 2211 return -EFAULT;