[IA64] Handle count==0 in sn2_ptc_proc_write()

The fix applied in e0c6d97c "security hole in sn2_ptc_proc_write" didn't take into account the case where count==0 (which results in a buffer underrun when adding the trailing '\0'). Thanks to Andi Kleen for pointing this out. Signed-off-by: N Cliff Wickman <cpw@sgi.com> Signed-off-by: N Tony Luck <tony.luck@intel.com>

[IA64] Handle count==0 in sn2_ptc_proc_write()
The fix applied in e0c6d97c "security hole in sn2_ptc_proc_write" didn't take into account the case where count==0 (which results in a buffer underrun when adding the trailing '\0'). Thanks to Andi Kleen for pointing this out. Signed-off-by: N Cliff Wickman <cpw@sgi.com> Signed-off-by: N Tony Luck <tony.luck@intel.com>
8097110d · Cliff Wickman · Tony Luck · 2826f8c0 · 8097110d
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

arch/ia64/sn/kernel/sn2/sn2_smp.c arch/ia64/sn/kernel/sn2/sn2_smp.c +1 -1

未找到文件。
--- a/arch/ia64/sn/kernel/sn2/sn2_smp.c
+++ b/arch/ia64/sn/kernel/sn2/sn2_smp.c
@@ -512,7 +512,7 @@ static ssize_t sn2_ptc_proc_write(struct file *file, const char __user *user, si
 	int cpu;
 	char optstr[64];

-	if (count > sizeof(optstr))
+	if (count == 0 || count > sizeof(optstr))
 		return -EINVAL;
 	if (copy_from_user(optstr, user, count))
 		return -EFAULT;