sysctl: don't overflow the user-supplied buffer with '\0'
authorLinus Torvalds <torvalds@g5.osdl.org>
Sat, 31 Dec 2005 01:18:53 +0000 (17:18 -0800)
committerLinus Torvalds <torvalds@g5.osdl.org>
Sat, 31 Dec 2005 01:18:53 +0000 (17:18 -0800)
If the string was too long to fit in the user-supplied buffer,
the sysctl layer would zero-terminate it by writing past the
end of the buffer. Don't do that.

Noticed by Yi Yang <yang.y.yi@gmail.com>

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
kernel/sysctl.c

index 9990e10192e8e645c62d1e640b67b48edefe762d..ad0425a8f7099d27ee46e95b833897eb2d4dc475 100644 (file)
@@ -2201,14 +2201,12 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen,
                if (get_user(len, oldlenp))
                        return -EFAULT;
                if (len) {
-                       l = strlen(table->data);
+                       l = strlen(table->data)+1;
                        if (len > l) len = l;
                        if (len >= table->maxlen)
                                len = table->maxlen;
                        if(copy_to_user(oldval, table->data, len))
                                return -EFAULT;
-                       if(put_user(0, ((char __user *) oldval) + len))
-                               return -EFAULT;
                        if(put_user(len, oldlenp))
                                return -EFAULT;
                }