From: Kaushlendra Kumar Date: Sat, 30 Aug 2025 17:20:22 +0000 (+0530) Subject: tools/mm/slabinfo: fix access to null terminator in string boundary X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4fa5b88e772372e7ea3faccd0bbab03cb32104ed;p=thirdparty%2Fkernel%2Fstable.git tools/mm/slabinfo: fix access to null terminator in string boundary The current code incorrectly accesses buffer[strlen(buffer)], which points to the null terminator ('\0') at the end of the string. This is technically out-of-bounds access since valid string content ends at index strlen(buffer)-1. Fix by: 1. Declaring strlen() result variable at function scope 2. Adding bounds check (len > 0) to handle empty strings 3. Using buffer[len-1] to correctly access the last character before the null terminator [kaushlendra.kumar@intel.com: remove unnecessary blank line] Link: https://lkml.kernel.org/r/20250901044955.3902815-1-kaushlendra.kumar@intel.com Link: https://lkml.kernel.org/r/20250830172022.1927448-1-kaushlendra.kumar@intel.com Signed-off-by: Kaushlendra Kumar Acked-by: SeongJae Park Signed-off-by: Andrew Morton --- diff --git a/tools/mm/slabinfo.c b/tools/mm/slabinfo.c index 1433eff99feb0..80cdbd3db82df 100644 --- a/tools/mm/slabinfo.c +++ b/tools/mm/slabinfo.c @@ -155,6 +155,7 @@ static void usage(void) static unsigned long read_obj(const char *name) { + size_t len; FILE *f = fopen(name, "r"); if (!f) { @@ -165,8 +166,10 @@ static unsigned long read_obj(const char *name) if (!fgets(buffer, sizeof(buffer), f)) buffer[0] = 0; fclose(f); - if (buffer[strlen(buffer)] == '\n') - buffer[strlen(buffer)] = 0; + len = strlen(buffer); + + if (len > 0 && buffer[len - 1] == '\n') + buffer[len - 1] = 0; } return strlen(buffer); }