Block: Fix block/elevator.c elevator_get() off-by-one error

elevator_get() not check the name length, if the name length > sizeof(elv), elv will miss the '\0'. And elv buffer will be replace "-iosched" as something like aaaaaaaaa, then call request_module() can load an not trust module. Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: Jens Axboe <jens.axboe@oracle.com>

Block: Fix block/elevator.c elevator_get() off-by-one error
elevator_get() not check the name length, if the name length > sizeof(elv), elv will miss the '\0'. And elv buffer will be replace "-iosched" as something like aaaaaaaaa, then call request_module() can load an not trust module. Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
a506aedc · wzt.wzt@gmail.com · Jens Axboe · b2b163dd · a506aedc
Commit a506aedc authored Apr 02, 2010 by wzt.wzt@gmail.com Committed by Jens Axboe Apr 02, 2010
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

block/elevator.c block/elevator.c +1 -1

No files found.
--- a/block/elevator.c
+++ b/block/elevator.c
@@ -154,7 +154,7 @@ static struct elevator_type *elevator_get(const char *name)

 		spin_unlock(&elv_list_lock);

-		sprintf(elv, "%s-iosched", name);
+		snprintf(elv, sizeof(elv), "%s-iosched", name);

 		request_module("%s", elv);
 		spin_lock(&elv_list_lock);