summaryrefslogtreecommitdiff
path: root/arch/powerpc/kernel/lparcfg.c
diff options
context:
space:
mode:
authorChen Gang <gang.chen@asianux.com>2013-04-22 17:12:54 +0000
committerBenjamin Herrenschmidt <benh@kernel.crashing.org>2013-04-23 16:39:35 +1000
commit5676005acf26ab7e924a8438ea4746e47d405762 (patch)
tree0611d07d624ad794b4599d2cd2868bfecc497db6 /arch/powerpc/kernel/lparcfg.c
parentebd004e4edd5628617c0faed11162b8a095ad852 (diff)
powerpc/pseries/lparcfg: Fix possible overflow are more than 1026
need set '\0' for 'local_buffer'. SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of rtas_data_buf may truncated in memcpy. if contents are really truncated. the splpar_strlen is more than 1026. the next while loop checking will not find the end of buffer. that will cause memory access violation. Signed-off-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Diffstat (limited to 'arch/powerpc/kernel/lparcfg.c')
-rw-r--r--arch/powerpc/kernel/lparcfg.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/arch/powerpc/kernel/lparcfg.c b/arch/powerpc/kernel/lparcfg.c
index f5725bce9ed2..ab297f492c67 100644
--- a/arch/powerpc/kernel/lparcfg.c
+++ b/arch/powerpc/kernel/lparcfg.c
@@ -301,6 +301,7 @@ static void parse_system_parameter_string(struct seq_file *m)
__pa(rtas_data_buf),
RTAS_DATA_BUF_SIZE);
memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH);
+ local_buffer[SPLPAR_MAXLENGTH - 1] = '\0';
spin_unlock(&rtas_data_buf_lock);
if (call_status != 0) {