Hi! > If userspace doesn't end the input with a newline (which can easily > happen if the write happens from a C program that does write(fd, > iface, strlen(iface))), we may end up including garbage from a > previous, longer value in the device_name. For example > > # cat device_name > > # printf 'eth12' > device_name > # cat device_name > eth12 > # printf 'eth3' > device_name > # cat device_name > eth32 > > I highly doubt anybody is relying on this behaviour, so switch to > simply copying the bytes (we've already checked that size is < > IFNAMSIZ) and unconditionally zero-terminate it; of course, we also > still have to strip a trailing newline. char device_name[IFNAMSIZ]; Ok, good catch reporting the bug, but are you sure the fix is right? AFAICT the design is that device_name does _not_ have to be zero terminated, and your fix incorrectly limits the size of device_name. Pavel > index 3dd3ed46d473..ddc2b90ad7ec 100644 > --- a/drivers/leds/trigger/ledtrig-netdev.c > +++ b/drivers/leds/trigger/ledtrig-netdev.c > @@ -122,7 +122,8 @@ static ssize_t device_name_store(struct device *dev, > trigger_data->net_dev = NULL; > } > > - strncpy(trigger_data->device_name, buf, size); > + memcpy(trigger_data->device_name, buf, size); > + trigger_data->device_name[size] = '\0'; I'd do = 0 for consistency with code below. I believe the strncpy() is right to use here, but code should be modified so that zero-termination is not required. > if (size > 0 && trigger_data->device_name[size - 1] == '\n') > trigger_data->device_name[size - 1] = 0; > Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Attachment:
signature.asc
Description: Digital signature
