[BLOCK] fix string handling in elv_iosched_store
authorTejun Heo <htejun@gmail.com>
Thu, 10 Nov 2005 07:55:01 +0000 (08:55 +0100)
committerJens Axboe <axboe@nelson.home.kernel.dk>
Sat, 12 Nov 2005 09:56:21 +0000 (10:56 +0100)
elv_iosched_store doesn't terminate string passed from userspace if
it's too long.  Also, if the written length is zero (probably not
possible), it accesses elevator_name[-1].  This patch fixes both bugs.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Signed-off-by: Jens Axboe <axboe@suse.de>
block/elevator.c

index 73aa46b..cacfff7 100644 (file)
@@ -762,13 +762,15 @@ error:
 ssize_t elv_iosched_store(request_queue_t *q, const char *name, size_t count)
 {
        char elevator_name[ELV_NAME_MAX];
+       size_t len;
        struct elevator_type *e;
 
-       memset(elevator_name, 0, sizeof(elevator_name));
-       strncpy(elevator_name, name, sizeof(elevator_name));
+       elevator_name[sizeof(elevator_name) - 1] = '\0';
+       strncpy(elevator_name, name, sizeof(elevator_name) - 1);
+       len = strlen(elevator_name);
 
-       if (elevator_name[strlen(elevator_name) - 1] == '\n')
-               elevator_name[strlen(elevator_name) - 1] = '\0';
+       if (len && elevator_name[len - 1] == '\n')
+               elevator_name[len - 1] = '\0';
 
        e = elevator_get(elevator_name);
        if (!e) {