]>
Commit | Line | Data |
---|---|---|
2cb7cef9 BS |
1 | From 97ce0a7f9caf9d715cee815a016ee21575f71c95 Mon Sep 17 00:00:00 2001 |
2 | From: Dan Williams <dan.j.williams@gmail.com> | |
3 | Date: Wed, 24 Sep 2008 22:48:19 -0700 | |
4 | Subject: [PATCH] md: fix input truncation in safe_delay_store() | |
5 | ||
6 | safe_delay_store() currently truncates the last character of input since | |
7 | it tells strlcpy that the buffer can only hold 'len' characters, off by | |
8 | one. sysfs already null terminates the buffer, so just increase the | |
9 | last argument to strlcpy. | |
10 | ||
11 | Signed-off-by: Dan Williams <dan.j.williams@intel.com> | |
12 | Signed-off-by: NeilBrown <neilb@suse.de> | |
13 | --- | |
14 | drivers/md/md.c | 8 +++----- | |
15 | 1 file changed, 3 insertions(+), 5 deletions(-) | |
16 | ||
17 | --- linux-2.6.27-SLE11_BRANCH.orig/drivers/md/md.c | |
18 | +++ linux-2.6.27-SLE11_BRANCH/drivers/md/md.c | |
19 | @@ -2454,12 +2454,11 @@ safe_delay_store(mddev_t *mddev, const c | |
20 | int i; | |
21 | unsigned long msec; | |
22 | char buf[30]; | |
23 | - char *e; | |
24 | + | |
25 | /* remove a period, and count digits after it */ | |
26 | if (len >= sizeof(buf)) | |
27 | return -EINVAL; | |
28 | - strlcpy(buf, cbuf, len); | |
29 | - buf[len] = 0; | |
30 | + strlcpy(buf, cbuf, sizeof(buf)); | |
31 | for (i=0; i<len; i++) { | |
32 | if (dot) { | |
33 | if (isdigit(buf[i])) { | |
34 | @@ -2472,8 +2471,7 @@ safe_delay_store(mddev_t *mddev, const c | |
35 | buf[i] = 0; | |
36 | } | |
37 | } | |
38 | - msec = simple_strtoul(buf, &e, 10); | |
39 | - if (e == buf || (*e && *e != '\n')) | |
40 | + if (strict_strtoul(buf, 10, &msec) < 0) | |
41 | return -EINVAL; | |
42 | msec = (msec * 1000) / scale; | |
43 | if (msec == 0) |