From b72e4c9f5aedb5c8f199840536622e2e26f3983d Mon Sep 17 00:00:00 2001
From: Kyle McMartin <kyle@mcmartin.ca>
Date: Tue, 7 Feb 2006 12:58:47 -0800
Subject: [PATCH] --- yaml --- r: 19984 b: refs/heads/master c:
 1fcbf053e55e961112f237dc690129f0858156f1 h: refs/heads/master v: v3

---
 [refs]                            |  2 +-
 trunk/arch/parisc/hpux/sys_hpux.c | 10 +++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/[refs] b/[refs]
index f12d2208e615..956351d6d385 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: b5173119ff10c5538e92a7957a50887ae170b8da
+refs/heads/master: 1fcbf053e55e961112f237dc690129f0858156f1
diff --git a/trunk/arch/parisc/hpux/sys_hpux.c b/trunk/arch/parisc/hpux/sys_hpux.c
index 29b4d61898f2..05273ccced0e 100644
--- a/trunk/arch/parisc/hpux/sys_hpux.c
+++ b/trunk/arch/parisc/hpux/sys_hpux.c
@@ -468,19 +468,23 @@ int hpux_sysfs(int opcode, unsigned long arg1, unsigned long arg2)
 	if ( opcode == 1 ) { /* GETFSIND */	
 		len = strlen_user((char *)arg1);
 		printk(KERN_DEBUG "len of arg1 = %d\n", len);
-
-		fsname = (char *) kmalloc(len+1, GFP_KERNEL);
+		if (len == 0)
+			return 0;
+		fsname = (char *) kmalloc(len, GFP_KERNEL);
 		if ( !fsname ) {
 			printk(KERN_DEBUG "failed to kmalloc fsname\n");
 			return 0;
 		}
 
-		if ( copy_from_user(fsname, (char *)arg1, len+1) ) {
+		if ( copy_from_user(fsname, (char *)arg1, len) ) {
 			printk(KERN_DEBUG "failed to copy_from_user fsname\n");
 			kfree(fsname);
 			return 0;
 		}
 
+		/* String could be altered by userspace after strlen_user() */
+		fsname[len] = '\0';
+
 		printk(KERN_DEBUG "that is '%s' as (char *)\n", fsname);
 		if ( !strcmp(fsname, "hfs") ) {
 			fstype = 0;