UBI: improve mkvol request validation
authorArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
Sun, 13 Jul 2008 18:46:24 +0000 (21:46 +0300)
committerArtem Bityutskiy <Artem.Bityutskiy@nokia.com>
Thu, 24 Jul 2008 10:32:56 +0000 (13:32 +0300)
Check that volume name is not shorter than 'name_len'.

No need to copy the trailing zero byte because whole array
was zeroed earlier.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
drivers/mtd/ubi/cdev.c
drivers/mtd/ubi/vmt.c

index 3e3449ec07f0c6874fe943c55b7c761864b0be41..4fb84e3e65029248000f25a4c8b16bae09553e91 100644 (file)
@@ -574,6 +574,10 @@ static int verify_mkvol_req(const struct ubi_device *ubi,
                goto bad;
        }
 
+       n = strnlen(req->name, req->name_len + 1);
+       if (n != req->name_len)
+               goto bad;
+
        return 0;
 
 bad:
@@ -629,12 +633,11 @@ static int ubi_cdev_ioctl(struct inode *inode, struct file *file,
                        break;
                }
 
+               req.name[req.name_len] = '\0';
                err = verify_mkvol_req(ubi, &req);
                if (err)
                        break;
 
-               req.name[req.name_len] = '\0';
-
                mutex_lock(&ubi->volumes_mutex);
                err = ubi_create_volume(ubi, &req);
                mutex_unlock(&ubi->volumes_mutex);
index 367b04176e0a4aa1001fdf0d3f6e10bb5709a03b..bfa7c5d2e064a2ce1e4e7f68780821e5675760e0 100644 (file)
@@ -275,7 +275,7 @@ int ubi_create_volume(struct ubi_device *ubi, struct ubi_mkvol_req *req)
        vol->data_pad  = ubi->leb_size % vol->alignment;
        vol->vol_type  = req->vol_type;
        vol->name_len  = req->name_len;
-       memcpy(vol->name, req->name, vol->name_len + 1);
+       memcpy(vol->name, req->name, vol->name_len);
        vol->ubi = ubi;
 
        /*
@@ -350,7 +350,7 @@ int ubi_create_volume(struct ubi_device *ubi, struct ubi_mkvol_req *req)
                vtbl_rec.vol_type = UBI_VID_DYNAMIC;
        else
                vtbl_rec.vol_type = UBI_VID_STATIC;
-       memcpy(vtbl_rec.name, vol->name, vol->name_len + 1);
+       memcpy(vtbl_rec.name, vol->name, vol->name_len);
 
        err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec);
        if (err)