diff options
author | Heiko Carstens <heiko.carstens@de.ibm.com> | 2013-02-21 16:30:42 +0400 |
---|---|---|
committer | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2013-02-28 12:37:08 +0400 |
commit | f45655f6a65538237359abce55edab9cfcc6d82f (patch) | |
tree | bf392ffe658ae512ed992ff24a3b6f5a32c092f7 /arch/s390/lib/uaccess_pt.c | |
parent | d7b788cd06a3080ebf0b2f5f2e008d4fda2b336e (diff) | |
download | linux-f45655f6a65538237359abce55edab9cfcc6d82f.tar.xz |
s390/uaccess: fix strncpy_from_user/strnlen_user zero maxlen case
If the maximum length specified for the to be accessed string for
strncpy_from_user() and strnlen_user() is zero the following incorrect
values would be returned or incorrect memory accesses would happen:
strnlen_user_std() and strnlen_user_pt() incorrectly return "1"
strncpy_from_user_pt() would incorrectly access "dst[maxlen - 1]"
strncpy_from_user_mvcos() would incorrectly return "-EFAULT"
Fix all these oddities by adding early checks.
Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'arch/s390/lib/uaccess_pt.c')
-rw-r--r-- | arch/s390/lib/uaccess_pt.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/arch/s390/lib/uaccess_pt.c b/arch/s390/lib/uaccess_pt.c index a70ee84c0241..c1aaf22c326b 100644 --- a/arch/s390/lib/uaccess_pt.c +++ b/arch/s390/lib/uaccess_pt.c @@ -172,6 +172,8 @@ static size_t strnlen_user_pt(size_t count, const char __user *src) unsigned long offset, done, len, kaddr; size_t len_str; + if (unlikely(!count)) + return 0; if (segment_eq(get_fs(), KERNEL_DS)) return strnlen((const char __kernel __force *) src, count) + 1; done = 0; @@ -202,6 +204,8 @@ static size_t strncpy_from_user_pt(size_t count, const char __user *src, { size_t n = strnlen_user_pt(count, src); + if (unlikely(!count)) + return 0; if (!n) return -EFAULT; if (n > count) |