From: Cliff Wickman Date: Tue, 24 Jun 2008 17:20:06 +0000 (-0700) Subject: [IA64] Handle count==0 in sn2_ptc_proc_write() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=8097110d179b874d91c6495330c2b96c991e8c6e;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git [IA64] Handle count==0 in sn2_ptc_proc_write() The fix applied in e0c6d97c65e0784aade7e97b9411f245a6c543e7 "security hole in sn2_ptc_proc_write" didn't take into account the case where count==0 (which results in a buffer underrun when adding the trailing '\0'). Thanks to Andi Kleen for pointing this out. Signed-off-by: Cliff Wickman Signed-off-by: Tony Luck --- diff --git a/arch/ia64/sn/kernel/sn2/sn2_smp.c b/arch/ia64/sn/kernel/sn2/sn2_smp.c index 6dd886c5d860..e585f9a2afb9 100644 --- a/arch/ia64/sn/kernel/sn2/sn2_smp.c +++ b/arch/ia64/sn/kernel/sn2/sn2_smp.c @@ -512,7 +512,7 @@ static ssize_t sn2_ptc_proc_write(struct file *file, const char __user *user, si int cpu; char optstr[64]; - if (count > sizeof(optstr)) + if (count == 0 || count > sizeof(optstr)) return -EINVAL; if (copy_from_user(optstr, user, count)) return -EFAULT;