From: Linus Torvalds Date: Sat, 31 Dec 2005 01:18:53 +0000 (-0800) Subject: sysctl: don't overflow the user-supplied buffer with '\0' X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=8febdd85adaa41fa1fc1cb31286210fc2cd3ed0c;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git sysctl: don't overflow the user-supplied buffer with '\0' If the string was too long to fit in the user-supplied buffer, the sysctl layer would zero-terminate it by writing past the end of the buffer. Don't do that. Noticed by Yi Yang Signed-off-by: Linus Torvalds --- diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 9990e10192e8..ad0425a8f709 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2201,14 +2201,12 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen, if (get_user(len, oldlenp)) return -EFAULT; if (len) { - l = strlen(table->data); + l = strlen(table->data)+1; if (len > l) len = l; if (len >= table->maxlen) len = table->maxlen; if(copy_to_user(oldval, table->data, len)) return -EFAULT; - if(put_user(0, ((char __user *) oldval) + len)) - return -EFAULT; if(put_user(len, oldlenp)) return -EFAULT; }