drm/nouveau/pm: don't read/write beyond end of stack buffer

NUL-terminate after strncpy. If the parameter "profile" has length 16 or more, then strncpy leaves "string" with no NUL terminator, so the following search for '\n' may read beyond the end of that 16-byte buffer. If it finds a newline there, then it will also write beyond the end of that stack buffer. Signed-off-by: Jim Meyering <meyering@redhat.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
author: Jim Meyering <jim@meyering.net> 2012-04-17 21:27:54 +0200
committer: Dave Airlie <airlied@redhat.com> 2012-04-19 14:38:54 +0100
commit: 5799d9e2eab20ef694fb92a7636f451e1b0e456c (patch)
tree: 2146fbc6521a354b9194bc46954a394802a6e68e
parent: 5edaad87000a143504a8f8e2864bb415a9287d94 (diff)
download: op-kernel-dev-5799d9e2eab20ef694fb92a7636f451e1b0e456c.zip
op-kernel-dev-5799d9e2eab20ef694fb92a7636f451e1b0e456c.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/gpu/drm/nouveau/nouveau_pm.c b/drivers/gpu/drm/nouveau/nouveau_pm.c
index 34d591b..da3e7c3 100644
--- a/drivers/gpu/drm/nouveau/nouveau_pm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_pm.c
@@ -235,6 +235,7 @@ nouveau_pm_profile_set(struct drm_device *dev, const char *profile)
 		return -EPERM;
 
 	strncpy(string, profile, sizeof(string));
+	string[sizeof(string) - 1] = 0;
 	if ((ptr = strchr(string, '\n')))
 		*ptr = '\0';
author	Jim Meyering <jim@meyering.net>	2012-04-17 21:27:54 +0200
committer	Dave Airlie <airlied@redhat.com>	2012-04-19 14:38:54 +0100
commit	5799d9e2eab20ef694fb92a7636f451e1b0e456c (patch)
tree	2146fbc6521a354b9194bc46954a394802a6e68e
parent	5edaad87000a143504a8f8e2864bb415a9287d94 (diff)
download	op-kernel-dev-5799d9e2eab20ef694fb92a7636f451e1b0e456c.zip op-kernel-dev-5799d9e2eab20ef694fb92a7636f451e1b0e456c.tar.gz