[ipfire-2.x.git] / src / patches / suse-2.6.27.39 / patches.fixes / 0002-md-fix-input-truncation-in-safe_delay_store.patch

From 97ce0a7f9caf9d715cee815a016ee21575f71c95 Mon Sep 17 00:00:00 2001
From: Dan Williams <dan.j.williams@gmail.com>
Date: Wed, 24 Sep 2008 22:48:19 -0700
Subject: [PATCH] md: fix input truncation in safe_delay_store()

safe_delay_store() currently truncates the last character of input since
it tells strlcpy that the buffer can only hold 'len' characters, off by
one.  sysfs already null terminates the buffer, so just increase the
last argument to strlcpy.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: NeilBrown <neilb@suse.de>
---
 drivers/md/md.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- linux-2.6.27-SLE11_BRANCH.orig/drivers/md/md.c
+++ linux-2.6.27-SLE11_BRANCH/drivers/md/md.c
@@ -2454,12 +2454,11 @@ safe_delay_store(mddev_t *mddev, const c
 	int i;
 	unsigned long msec;
 	char buf[30];
-	char *e;
+
 	/* remove a period, and count digits after it */
 	if (len >= sizeof(buf))
 		return -EINVAL;
-	strlcpy(buf, cbuf, len);
-	buf[len] = 0;
+	strlcpy(buf, cbuf, sizeof(buf));
 	for (i=0; i<len; i++) {
 		if (dot) {
 			if (isdigit(buf[i])) {
@@ -2472,8 +2471,7 @@ safe_delay_store(mddev_t *mddev, const c
 			buf[i] = 0;
 		}
 	}
-	msec = simple_strtoul(buf, &e, 10);
-	if (e == buf || (*e && *e != '\n'))
+	if (strict_strtoul(buf, 10, &msec) < 0)
 		return -EINVAL;
 	msec = (msec * 1000) / scale;
 	if (msec == 0)
Commit	Line	Data
2cb7cef9 BS	1	From 97ce0a7f9caf9d715cee815a016ee21575f71c95 Mon Sep 17 00:00:00 2001
	2	From: Dan Williams <dan.j.williams@gmail.com>
	3	Date: Wed, 24 Sep 2008 22:48:19 -0700
	4	Subject: [PATCH] md: fix input truncation in safe_delay_store()
	5
	6	safe_delay_store() currently truncates the last character of input since
	7	it tells strlcpy that the buffer can only hold 'len' characters, off by
	8	one. sysfs already null terminates the buffer, so just increase the
	9	last argument to strlcpy.
	10
	11	Signed-off-by: Dan Williams <dan.j.williams@intel.com>
	12	Signed-off-by: NeilBrown <neilb@suse.de>
	13	---
	14	drivers/md/md.c \| 8 +++-----
	15	1 file changed, 3 insertions(+), 5 deletions(-)
	16
	17	--- linux-2.6.27-SLE11_BRANCH.orig/drivers/md/md.c
	18	+++ linux-2.6.27-SLE11_BRANCH/drivers/md/md.c
	19	@@ -2454,12 +2454,11 @@ safe_delay_store(mddev_t *mddev, const c
	20	int i;
	21	unsigned long msec;
	22	char buf[30];
	23	- char *e;
	24	+
	25	/* remove a period, and count digits after it */
	26	if (len >= sizeof(buf))
	27	return -EINVAL;
	28	- strlcpy(buf, cbuf, len);
	29	- buf[len] = 0;
	30	+ strlcpy(buf, cbuf, sizeof(buf));
	31	for (i=0; i<len; i++) {
	32	if (dot) {
	33	if (isdigit(buf[i])) {
	34	@@ -2472,8 +2471,7 @@ safe_delay_store(mddev_t *mddev, const c
	35	buf[i] = 0;
	36	}
	37	}
	38	- msec = simple_strtoul(buf, &e, 10);
	39	- if (e == buf \|\| (e && e != '\n'))
	40	+ if (strict_strtoul(buf, 10, &msec) < 0)
	41	return -EINVAL;
	42	msec = (msec * 1000) / scale;
	43	if (msec == 0)