[IA64] Handle count==0 in sn2_ptc_proc_write()
authorCliff Wickman <cpw@sgi.com>
Tue, 24 Jun 2008 17:20:06 +0000 (10:20 -0700)
committerTony Luck <tony.luck@intel.com>
Tue, 24 Jun 2008 17:20:06 +0000 (10:20 -0700)
The fix applied in e0c6d97c65e0784aade7e97b9411f245a6c543e7
"security hole in sn2_ptc_proc_write" didn't take into account
the case where count==0 (which results in a buffer underrun
when adding the trailing '\0').  Thanks to Andi Kleen for
pointing this out.

Signed-off-by: Cliff Wickman <cpw@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
arch/ia64/sn/kernel/sn2/sn2_smp.c

index 6dd886c5d860a29dd71b7c91a168728ff97b4611..e585f9a2afb936c74f9ec0ceea13beb1ef7271c4 100644 (file)
@@ -512,7 +512,7 @@ static ssize_t sn2_ptc_proc_write(struct file *file, const char __user *user, si
        int cpu;
        char optstr[64];
 
-       if (count > sizeof(optstr))
+       if (count == 0 || count > sizeof(optstr))
                return -EINVAL;
        if (copy_from_user(optstr, user, count))
                return -EFAULT;