Commit 8097110d authored by Cliff Wickman's avatar Cliff Wickman Committed by Tony Luck

[IA64] Handle count==0 in sn2_ptc_proc_write()

The fix applied in e0c6d97c
"security hole in sn2_ptc_proc_write" didn't take into account
the case where count==0 (which results in a buffer underrun
when adding the trailing '\0').  Thanks to Andi Kleen for
pointing this out.
Signed-off-by: default avatarCliff Wickman <cpw@sgi.com>
Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
parent 2826f8c0
...@@ -512,7 +512,7 @@ static ssize_t sn2_ptc_proc_write(struct file *file, const char __user *user, si ...@@ -512,7 +512,7 @@ static ssize_t sn2_ptc_proc_write(struct file *file, const char __user *user, si
int cpu; int cpu;
char optstr[64]; char optstr[64];
if (count > sizeof(optstr)) if (count == 0 || count > sizeof(optstr))
return -EINVAL; return -EINVAL;
if (copy_from_user(optstr, user, count)) if (copy_from_user(optstr, user, count))
return -EFAULT; return -EFAULT;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment