[PATCH] proc_loginuid_write() uses simple_strtoul() on non-terminated array
authorAl Viro <viro@zeniv.linux.org.uk>
Thu, 18 May 2006 12:28:02 +0000 (08:28 -0400)
committerAl Viro <viro@zeniv.linux.org.uk>
Tue, 20 Jun 2006 09:25:24 +0000 (05:25 -0400)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/proc/base.c

index 6cc77dc3f3ff79c49fa7d4ce89360b595995d839..6afff725a8c922b08bb3b6bbd52bf044ecc42e6c 100644 (file)
@@ -1019,8 +1019,8 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf,
        if (current != task)
                return -EPERM;
 
-       if (count > PAGE_SIZE)
-               count = PAGE_SIZE;
+       if (count >= PAGE_SIZE)
+               count = PAGE_SIZE - 1;
 
        if (*ppos != 0) {
                /* No partial writes. */
@@ -1033,6 +1033,7 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf,
        if (copy_from_user(page, buf, count))
                goto out_free_page;
 
+       page[count] = '\0';
        loginuid = simple_strtoul(page, &tmp, 10);
        if (tmp == page) {
                length = -EINVAL;