Commit be561235 authored by Tejun Heo's avatar Tejun Heo Committed by Jens Axboe

[BLOCK] fix string handling in elv_iosched_store

elv_iosched_store doesn't terminate string passed from userspace if
it's too long.  Also, if the written length is zero (probably not
possible), it accesses elevator_name[-1].  This patch fixes both bugs.
Signed-off-by: default avatarTejun Heo <htejun@gmail.com>
Signed-off-by: default avatarJens Axboe <axboe@suse.de>
parent 15853af9
......@@ -762,13 +762,15 @@ error:
ssize_t elv_iosched_store(request_queue_t *q, const char *name, size_t count)
{
char elevator_name[ELV_NAME_MAX];
size_t len;
struct elevator_type *e;
memset(elevator_name, 0, sizeof(elevator_name));
strncpy(elevator_name, name, sizeof(elevator_name));
elevator_name[sizeof(elevator_name) - 1] = '\0';
strncpy(elevator_name, name, sizeof(elevator_name) - 1);
len = strlen(elevator_name);
if (elevator_name[strlen(elevator_name) - 1] == '\n')
elevator_name[strlen(elevator_name) - 1] = '\0';
if (len && elevator_name[len - 1] == '\n')
elevator_name[len - 1] = '\0';
e = elevator_get(elevator_name);
if (!e) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment