From 4fcb490b5b2a5b8e33a58c66006460d448cc1c23 Mon Sep 17 00:00:00 2001 From: jhatch Date: Mon, 13 Jul 2015 12:45:37 -0500 Subject: [IN001224] Fix kernel Oops caused by strsep call walking off end of buffer --- io-module/mts_io.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/io-module/mts_io.c b/io-module/mts_io.c index 995fb1d..84756d2 100644 --- a/io-module/mts_io.c +++ b/io-module/mts_io.c @@ -395,29 +395,31 @@ static ssize_t mts_attr_store_radio_reset_backoffs(struct device *dev, } /* make a copy */ - if( NULL == (timings_data_str = kmalloc(strlen(buf), GFP_KERNEL)) ){ + if( NULL == (timings_data_str = kzalloc((strlen(buf) + 1), GFP_KERNEL)) ){ log_error("can`t allocate memory\n"); return -EINVAL; } - memcpy(timings_data_str, buf, strlen(buf)); + //log_info("radio_reset_backoffs buf: [%s]", buf); + strncpy(timings_data_str, buf, (strlen(buf) + 1)); /* get number of tokens */ while (NULL != (pch = strsep (&timings_data_str, delimiter))) { int value = 0; sscanf(pch, "%d", &value); + //log_info("radio reset backoffs pch = [%s]\n", pch); if (value > 0){ size++; if (NULL == timings_data) { /* make alloc */ if (NULL == (timings_data = kmalloc(sizeof(unsigned int), GFP_KERNEL))) { - log_error("can`t allocate memory\n"); + log_error("radio reset backoffs can`t allocate memory\n"); goto free; } } else { /* make realloc */ if (NULL == (timings_data = krealloc(timings_data, size * sizeof(unsigned int), GFP_KERNEL))) { - log_error("can`t allocate memory\n"); + log_error("radio reset backoffs can`t allocate memory\n"); goto free; } } @@ -427,9 +429,11 @@ static ssize_t mts_attr_store_radio_reset_backoffs(struct device *dev, } timings_data_size = size; + //log_info("timings_data_size = %d\n", timings_data_size); if (NULL != timings_data_str) { /* free timings_data_str */ + /* never get here in happy path */ kfree(timings_data_str); } return count; @@ -478,10 +482,12 @@ static ssize_t mts_attr_show_radio_reset_backoffs(struct device *dev, { int ret = 0; size_t i = 0; + size_t buf_left = 0; if (NULL != timings_data) { for(i = 0; i < timings_data_size; ++i) { - ret += sprintf(buf += strlen(buf), "%d ", timings_data[i]); + buf_left = PAGE_SIZE - ret; + ret += snprintf(buf += strlen(buf), buf_left, "%d ", timings_data[i]); } } -- cgit v1.2.3