diff options
author | jhatch <jhatch@multitech.com> | 2015-07-13 12:45:37 -0500 |
---|---|---|
committer | jhatch <jhatch@multitech.com> | 2015-07-13 12:45:37 -0500 |
commit | 4fcb490b5b2a5b8e33a58c66006460d448cc1c23 (patch) | |
tree | f18c7cfd642d93190d0ae1e3a46372701d245908 | |
parent | c9d340ec5da3ec96637e2689fffe609dca625e35 (diff) | |
download | mts-io-4fcb490b5b2a5b8e33a58c66006460d448cc1c23.tar.gz mts-io-4fcb490b5b2a5b8e33a58c66006460d448cc1c23.tar.bz2 mts-io-4fcb490b5b2a5b8e33a58c66006460d448cc1c23.zip |
[IN001224] Fix kernel Oops caused by strsep call walking off end of buffer1.1.4
-rw-r--r-- | io-module/mts_io.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/io-module/mts_io.c b/io-module/mts_io.c index 995fb1d..84756d2 100644 --- a/io-module/mts_io.c +++ b/io-module/mts_io.c @@ -395,29 +395,31 @@ static ssize_t mts_attr_store_radio_reset_backoffs(struct device *dev, } /* make a copy */ - if( NULL == (timings_data_str = kmalloc(strlen(buf), GFP_KERNEL)) ){ + if( NULL == (timings_data_str = kzalloc((strlen(buf) + 1), GFP_KERNEL)) ){ log_error("can`t allocate memory\n"); return -EINVAL; } - memcpy(timings_data_str, buf, strlen(buf)); + //log_info("radio_reset_backoffs buf: [%s]", buf); + strncpy(timings_data_str, buf, (strlen(buf) + 1)); /* get number of tokens */ while (NULL != (pch = strsep (&timings_data_str, delimiter))) { int value = 0; sscanf(pch, "%d", &value); + //log_info("radio reset backoffs pch = [%s]\n", pch); if (value > 0){ size++; if (NULL == timings_data) { /* make alloc */ if (NULL == (timings_data = kmalloc(sizeof(unsigned int), GFP_KERNEL))) { - log_error("can`t allocate memory\n"); + log_error("radio reset backoffs can`t allocate memory\n"); goto free; } } else { /* make realloc */ if (NULL == (timings_data = krealloc(timings_data, size * sizeof(unsigned int), GFP_KERNEL))) { - log_error("can`t allocate memory\n"); + log_error("radio reset backoffs can`t allocate memory\n"); goto free; } } @@ -427,9 +429,11 @@ static ssize_t mts_attr_store_radio_reset_backoffs(struct device *dev, } timings_data_size = size; + //log_info("timings_data_size = %d\n", timings_data_size); if (NULL != timings_data_str) { /* free timings_data_str */ + /* never get here in happy path */ kfree(timings_data_str); } return count; @@ -478,10 +482,12 @@ static ssize_t mts_attr_show_radio_reset_backoffs(struct device *dev, { int ret = 0; size_t i = 0; + size_t buf_left = 0; if (NULL != timings_data) { for(i = 0; i < timings_data_size; ++i) { - ret += sprintf(buf += strlen(buf), "%d ", timings_data[i]); + buf_left = PAGE_SIZE - ret; + ret += snprintf(buf += strlen(buf), buf_left, "%d ", timings_data[i]); } } |