On 11/6/21 23:30, Ajay Garg wrote:
> 2.
> == Calculate the actual length of kbs, add 1, and then copy those many
> bytes to user-buffer ==
>
> ret = copy_to_user(user_kdgkb->kb_string, kbs, len + 1) ?
> -EFAULT : 0;
> =>
> ret = copy_to_user(user_kdgkb->kb_string, kbs, strlen(kbs) + 1) ?
> -EFAULT : 0;
>
But isn't strlen(kbs) is guaranteed to be equal to strlcpy() return
value in this case? As I said in previous emails,
strlen(func_table[kb_func]) < sizeof(user_kdgkb->kb_string) by design of
this function.
That's the whole point of the discussion :)
The method "vt_do_kdgkb_ioctl" does not manage "func_table[kb_func]".
Thus, the method does not know whether or not
strlen(func_table[kb_func]) < sizeof(user_kdgkb->kb_string).
It manages. The code under `case KDSKBSENT:` sets func_table[] entries
via vt_kdskbsent().
kbs = strndup_user(..., sizeof(user_kdgkb->kb_string));
is used to allocate buffer for the func_table[] entry. That's my main
point :)
With regards,
Pavel Skripkin
