From: wzt.wzt@gmail.com Date: Fri, 2 Apr 2010 06:41:14 +0000 (+0200) Subject: Block: Fix block/elevator.c elevator_get() off-by-one error X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=a506aedc51093544ff0f9610af6066d18cb6abbe;p=GitHub%2Fmt8127%2Fandroid_kernel_alcatel_ttab.git Block: Fix block/elevator.c elevator_get() off-by-one error elevator_get() not check the name length, if the name length > sizeof(elv), elv will miss the '\0'. And elv buffer will be replace "-iosched" as something like aaaaaaaaa, then call request_module() can load an not trust module. Signed-off-by: Zhitong Wang Signed-off-by: Jens Axboe --- diff --git a/block/elevator.c b/block/elevator.c index df75676f6671..76e3702d5381 100644 --- a/block/elevator.c +++ b/block/elevator.c @@ -154,7 +154,7 @@ static struct elevator_type *elevator_get(const char *name) spin_unlock(&elv_list_lock); - sprintf(elv, "%s-iosched", name); + snprintf(elv, sizeof(elv), "%s-iosched", name); request_module("%s", elv); spin_lock(&elv_list_lock);