diff options
author | Heiko Carstens <heiko.carstens@de.ibm.com> | 2009-10-29 15:04:11 +0100 |
---|---|---|
committer | Martin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com> | 2009-10-29 15:05:12 +0100 |
commit | e8a79c9ec779168502402a8b834abf8cf38a325a (patch) | |
tree | 4d473feebe815ea3b76a21268e2642e748fb5e38 | |
parent | 4a0fb4c44573759f878fc65f6ddbd46080748f8b (diff) |
[S390] call home: fix string length handling
After copying uts->nodename to the static nodename array the static
version isn't necessarily zero termininated, since the size of the
array is one byte too short.
Afterwards doing strncat(data, nodename, strlen(nodename)); may copy
an arbitrary large amount of bytes.
Fix this by getting rid of the static array and using strncat with
proper length limit.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-rw-r--r-- | drivers/s390/char/sclp_async.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/drivers/s390/char/sclp_async.c b/drivers/s390/char/sclp_async.c index 3c20aa13118..b44462a6c6d 100644 --- a/drivers/s390/char/sclp_async.c +++ b/drivers/s390/char/sclp_async.c @@ -26,7 +26,6 @@ static struct sclp_async_sccb *sccb; static int sclp_async_send_wait(char *message); static struct ctl_table_header *callhome_sysctl_header; static DEFINE_SPINLOCK(sclp_async_lock); -static char nodename[64]; #define SCLP_NORMAL_WRITE 0x00 struct async_evbuf { @@ -52,9 +51,10 @@ static struct sclp_register sclp_async_register = { static int call_home_on_panic(struct notifier_block *self, unsigned long event, void *data) { - strncat(data, nodename, strlen(nodename)); - sclp_async_send_wait(data); - return NOTIFY_DONE; + strncat(data, init_utsname()->nodename, + sizeof(init_utsname()->nodename)); + sclp_async_send_wait(data); + return NOTIFY_DONE; } static struct notifier_block call_home_panic_nb = { @@ -183,10 +183,8 @@ static int __init sclp_async_init(void) goto out_mem; rc = atomic_notifier_chain_register(&panic_notifier_list, &call_home_panic_nb); - if (rc) - goto out_mem; - strncpy(nodename, init_utsname()->nodename, 64); - goto out; + if (!rc) + goto out; out_mem: kfree(request); free_page((unsigned long) sccb); |