src/patches/suse-2.6.27.25/patches.fixes/0002-md-fix-input-truncation-in-safe_delay_store.patch

   1 From 97ce0a7f9caf9d715cee815a016ee21575f71c95 Mon Sep 17 00:00:00 2001
   2 From: Dan Williams <dan.j.williams@gmail.com>
   3 Date: Wed, 24 Sep 2008 22:48:19 -0700
   4 Subject: [PATCH] md: fix input truncation in safe_delay_store()
   5
   6 safe_delay_store() currently truncates the last character of input since
   7 it tells strlcpy that the buffer can only hold 'len' characters, off by
   8 one.  sysfs already null terminates the buffer, so just increase the
   9 last argument to strlcpy.
  10
  11 Signed-off-by: Dan Williams <dan.j.williams@intel.com>
  12 Signed-off-by: NeilBrown <neilb@suse.de>
  13 ---
  14  drivers/md/md.c |    8 +++-----
  15  1 file changed, 3 insertions(+), 5 deletions(-)
  16
  17 --- linux-2.6.27-SLE11_BRANCH.orig/drivers/md/md.c
  18 +++ linux-2.6.27-SLE11_BRANCH/drivers/md/md.c
  19 @@ -2454,12 +2454,11 @@ safe_delay_store(mddev_t *mddev, const c
  20         int i;
  21         unsigned long msec;
  22         char buf[30];
  23 -       char *e;
  24 +
  25         /* remove a period, and count digits after it */
  26         if (len >= sizeof(buf))
  27                 return -EINVAL;
  28 -       strlcpy(buf, cbuf, len);
  29 -       buf[len] = 0;
  30 +       strlcpy(buf, cbuf, sizeof(buf));
  31         for (i=0; i<len; i++) {
  32                 if (dot) {
  33                         if (isdigit(buf[i])) {
  34 @@ -2472,8 +2471,7 @@ safe_delay_store(mddev_t *mddev, const c
  35                         buf[i] = 0;
  36                 }
  37         }
  38 -       msec = simple_strtoul(buf, &e, 10);
  39 -       if (e == buf || (*e && *e != '\n'))
  40 +       if (strict_strtoul(buf, 10, &msec) < 0)
  41                 return -EINVAL;
  42         msec = (msec * 1000) / scale;
  43         if (msec == 0)