Commit a506aedc authored by wzt.wzt@gmail.com's avatar wzt.wzt@gmail.com Committed by Jens Axboe

Block: Fix block/elevator.c elevator_get() off-by-one error

elevator_get() not check the name length, if the name length > sizeof(elv),
elv will miss the '\0'. And elv buffer will be replace "-iosched" as something
like aaaaaaaaa, then call request_module() can load an not trust module.
Signed-off-by: default avatarZhitong Wang <zhitong.wangzt@alibaba-inc.com>
Signed-off-by: default avatarJens Axboe <jens.axboe@oracle.com>
parent b2b163dd
...@@ -154,7 +154,7 @@ static struct elevator_type *elevator_get(const char *name) ...@@ -154,7 +154,7 @@ static struct elevator_type *elevator_get(const char *name)
spin_unlock(&elv_list_lock); spin_unlock(&elv_list_lock);
sprintf(elv, "%s-iosched", name); snprintf(elv, sizeof(elv), "%s-iosched", name);
request_module("%s", elv); request_module("%s", elv);
spin_lock(&elv_list_lock); spin_lock(&elv_list_lock);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment