cgroups: add check for strcpy destination string overflow

Function "strcpy" is used without check for maximum allowed source string length and could cause destination string overflow. Check for string length is added before using "strcpy". Function now is return error if source string length is more than a maximum. akpm: presently considered NotABug, but add the check for general future-safeness and robustness. Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com> Acked-by: Paul Menage <menage@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Evgeny Kuznetsov <ext-eugeny.kuznetsov@nokia.com> 2010-10-27 15:33:37 -0700
committer: Linus Torvalds <torvalds@linux-foundation.org> 2010-10-27 18:03:09 -0700
commit: f4a2589feaef0a9b737a3e582b37ee96695bb25f (patch)
tree: ea5eb5c6f2c1f826893271b861d63272efd6546d /kernel/cgroup.c
parent: 32a8cf235e2f192eb002755076994525cdbaa35a (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 3e6517e51fd..5cf366965d0 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -1922,6 +1922,8 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft,
 				      const char *buffer)
 {
 	BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
+	if (strlen(buffer) >= PATH_MAX)
+		return -EINVAL;
 	if (!cgroup_lock_live_group(cgrp))
 		return -ENODEV;
 	strcpy(cgrp->root->release_agent_path, buffer);
author	Evgeny Kuznetsov <ext-eugeny.kuznetsov@nokia.com>	2010-10-27 15:33:37 -0700
committer	Linus Torvalds <torvalds@linux-foundation.org>	2010-10-27 18:03:09 -0700
commit	f4a2589feaef0a9b737a3e582b37ee96695bb25f (patch)
tree	ea5eb5c6f2c1f826893271b861d63272efd6546d /kernel/cgroup.c
parent	32a8cf235e2f192eb002755076994525cdbaa35a (diff)