From 4fcb490b5b2a5b8e33a58c66006460d448cc1c23 Mon Sep 17 00:00:00 2001
From: jhatch <jhatch@multitech.com>
Date: Mon, 13 Jul 2015 12:45:37 -0500
Subject: [IN001224] Fix kernel Oops caused by strsep call walking off end of
 buffer

---
 io-module/mts_io.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/io-module/mts_io.c b/io-module/mts_io.c
index 995fb1d..84756d2 100644
--- a/io-module/mts_io.c
+++ b/io-module/mts_io.c
@@ -395,29 +395,31 @@ static ssize_t mts_attr_store_radio_reset_backoffs(struct device *dev,
 	}
 
 	/* make a copy */
-	if( NULL == (timings_data_str = kmalloc(strlen(buf), GFP_KERNEL)) ){
+	if( NULL == (timings_data_str = kzalloc((strlen(buf) + 1), GFP_KERNEL)) ){
 		log_error("can`t allocate memory\n");
 		return -EINVAL;
 	}
 
-	memcpy(timings_data_str, buf, strlen(buf));
+        //log_info("radio_reset_backoffs buf: [%s]", buf);
+        strncpy(timings_data_str, buf, (strlen(buf) + 1));
 
 	/* get number of tokens */
 	while (NULL != (pch = strsep (&timings_data_str, delimiter))) {
 		int value = 0;
 		sscanf(pch, "%d", &value);
+	        //log_info("radio reset backoffs pch = [%s]\n", pch);
 		if (value > 0){
 			size++;
 			if (NULL == timings_data) {
 				/* make alloc */
 				if (NULL == (timings_data = kmalloc(sizeof(unsigned int), GFP_KERNEL))) {
-					log_error("can`t allocate memory\n");
+					log_error("radio reset backoffs can`t allocate memory\n");
 					goto free;
 				}
 			} else {
 				/* make realloc */
 				if (NULL == (timings_data = krealloc(timings_data, size * sizeof(unsigned int), GFP_KERNEL))) {
-					log_error("can`t allocate memory\n");
+					log_error("radio reset backoffs can`t allocate memory\n");
 					goto free;
 				}
 			}
@@ -427,9 +429,11 @@ static ssize_t mts_attr_store_radio_reset_backoffs(struct device *dev,
 	}
 
 	timings_data_size = size;
+	//log_info("timings_data_size = %d\n", timings_data_size);
 
 	if (NULL != timings_data_str) {
 		/* free timings_data_str */
+                /* never get here in happy path */
 		kfree(timings_data_str);
 	}
 	return count;
@@ -478,10 +482,12 @@ static ssize_t mts_attr_show_radio_reset_backoffs(struct device *dev,
 {
 	int ret = 0;
 	size_t i = 0;
+        size_t buf_left = 0;
 
 	if (NULL != timings_data) {
 		for(i = 0; i < timings_data_size; ++i) {
-			ret += sprintf(buf += strlen(buf), "%d ", timings_data[i]);
+                        buf_left = PAGE_SIZE - ret;
+			ret += snprintf(buf += strlen(buf), buf_left, "%d ", timings_data[i]);
 		}
 	}
 	
-- 
cgit v1.2.3