Skip to content

Commit

Permalink
[S390] sclp_async: potential buffer overflow
Browse files Browse the repository at this point in the history 
"len" hasn't been properly range checked so we shouldn't use it as an
array offset.  This can only be written to by root but it would still be
annoying to accidentally write more than 3 characters and corrupt your
memory.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
  • Loading branch information
Dan Carpenter authored and Martin Schwidefsky committed Apr 9, 2010
1 parent d7015c1 commit 35ac734
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/s390/char/sclp_async.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ static int proc_handler_callhome(struct ctl_table *ctl, int write,
rc = copy_from_user(buf, buffer, sizeof(buf));
if (rc != 0)
return -EFAULT;
buf[len - 1] = '\0';
buf[sizeof(buf) - 1] = '\0';
if (strict_strtoul(buf, 0, &val) != 0)
return -EINVAL;
if (val != 0 && val != 1)
Expand Down

0 comments on commit 35ac734

Please sign in to comment.