a common calling pattern is strncpy_from_user(buf, user_ptr, sizeof(buf)). However a buffer-overflow read occurs in this loop when reading the last byte. Fix it by early checking the available bytes.
Signed-off-by: Yangxi Xiang xyangxi5@gmail.com --- include/asm-generic/uaccess.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h index a0b2f270dddc..d45d4f535934 100644 --- a/include/asm-generic/uaccess.h +++ b/include/asm-generic/uaccess.h @@ -252,7 +252,7 @@ __strncpy_from_user(char *dst, const char __user *src, long count) { char *tmp; strncpy(dst, (const char __force *)src, count); - for (tmp = dst; *tmp && count > 0; tmp++, count--) + for (tmp = dst; count > 0 && *tmp; tmp++, count--) ; return (tmp - dst); }