sysctl: don't overflow the user-supplied buffer with '\0'

If the string was too long to fit in the user-supplied buffer, the sysctl layer would zero-terminate it by writing past the end of the buffer. Don't do that. Noticed by Yi Yang <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
klaby · Dec 31, 2005 · 8febdd8 · 8febdd8
1 parent 8b90db0
commit 8febdd8
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
@@ -2201,14 +2201,12 @@ int sysctl_string(ctl_table *table, int __user *name, int nlen,
 		if (get_user(len, oldlenp))
 			return -EFAULT;
 		if (len) {
-			l = strlen(table->data);
+			l = strlen(table->data)+1;
 			if (len > l) len = l;
 			if (len >= table->maxlen)
 				len = table->maxlen;
 			if(copy_to_user(oldval, table->data, len))
 				return -EFAULT;
-			if(put_user(0, ((char __user *) oldval) + len))
-				return -EFAULT;
 			if(put_user(len, oldlenp))
 				return -EFAULT;
 		}