提交 35ac734f 编写于 作者: D Dan Carpenter 提交者: Martin Schwidefsky

[S390] sclp_async: potential buffer overflow

"len" hasn't been properly range checked so we shouldn't use it as an
array offset.  This can only be written to by root but it would still be
annoying to accidentally write more than 3 characters and corrupt your
memory.
Signed-off-by: NDan Carpenter <error27@gmail.com>
Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
上级 d7015c12
......@@ -85,7 +85,7 @@ static int proc_handler_callhome(struct ctl_table *ctl, int write,
rc = copy_from_user(buf, buffer, sizeof(buf));
if (rc != 0)
return -EFAULT;
buf[len - 1] = '\0';
buf[sizeof(buf) - 1] = '\0';
if (strict_strtoul(buf, 0, &val) != 0)
return -EINVAL;
if (val != 0 && val != 1)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册