The patch titled
Subject: drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings
has been removed from the -mm tree. Its filename was
rapidio-mport_cdev-nul-terminate-some-strings.patch
This patch was dropped because it was merged into mainline or a subsystem tree
------------------------------------------------------
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Subject: drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings
The dev_info.name[] array has space for RIO_MAX_DEVNAME_SZ + 1 characters.
But the problem here is that we don't ensure that the user put a NUL
terminator on the end of the string. It could lead to an out of bounds
read.
Link: http://lkml.kernel.org/r/20190529110601.GB19119@mwanda
Fixes: e8de370188d0 ("rapidio: add mport char device driver")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Acked-by: Alexandre Bounine <alex.bou9@xxxxxxxxx>
Cc: Ira Weiny <ira.weiny@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
drivers/rapidio/devices/rio_mport_cdev.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/rapidio/devices/rio_mport_cdev.c~rapidio-mport_cdev-nul-terminate-some-strings
+++ a/drivers/rapidio/devices/rio_mport_cdev.c
@@ -1686,6 +1686,7 @@ static int rio_mport_add_riodev(struct m
if (copy_from_user(&dev_info, arg, sizeof(dev_info)))
return -EFAULT;
+ dev_info.name[sizeof(dev_info.name) - 1] = '\0';
rmcd_debug(RDEV, "name:%s ct:0x%x did:0x%x hc:0x%x", dev_info.name,
dev_info.comptag, dev_info.destid, dev_info.hopcount);
@@ -1817,6 +1818,7 @@ static int rio_mport_del_riodev(struct m
if (copy_from_user(&dev_info, arg, sizeof(dev_info)))
return -EFAULT;
+ dev_info.name[sizeof(dev_info.name) - 1] = '\0';
mport = priv->md->mport;
_
Patches currently in -mm which might be from dan.carpenter@xxxxxxxxxx are
