diff options
author | Cliff Wickman <cpw@sgi.com> | 2008-06-24 10:20:06 -0700 |
---|---|---|
committer | Tony Luck <tony.luck@intel.com> | 2008-06-24 10:20:06 -0700 |
commit | 8097110d179b874d91c6495330c2b96c991e8c6e (patch) | |
tree | 8ca93d3c7758953f468e5b25708d68dfd732b307 | |
parent | 2826f8c0f4c97b7db33e2a680f184d828eb7a785 (diff) | |
download | op-kernel-dev-8097110d179b874d91c6495330c2b96c991e8c6e.zip op-kernel-dev-8097110d179b874d91c6495330c2b96c991e8c6e.tar.gz |
[IA64] Handle count==0 in sn2_ptc_proc_write()
The fix applied in e0c6d97c65e0784aade7e97b9411f245a6c543e7
"security hole in sn2_ptc_proc_write" didn't take into account
the case where count==0 (which results in a buffer underrun
when adding the trailing '\0'). Thanks to Andi Kleen for
pointing this out.
Signed-off-by: Cliff Wickman <cpw@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
-rw-r--r-- | arch/ia64/sn/kernel/sn2/sn2_smp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/ia64/sn/kernel/sn2/sn2_smp.c b/arch/ia64/sn/kernel/sn2/sn2_smp.c index 6dd886c..e585f9a 100644 --- a/arch/ia64/sn/kernel/sn2/sn2_smp.c +++ b/arch/ia64/sn/kernel/sn2/sn2_smp.c @@ -512,7 +512,7 @@ static ssize_t sn2_ptc_proc_write(struct file *file, const char __user *user, si int cpu; char optstr[64]; - if (count > sizeof(optstr)) + if (count == 0 || count > sizeof(optstr)) return -EINVAL; if (copy_from_user(optstr, user, count)) return -EFAULT; |