From: eeb <eeb>
Date: Wed, 19 Nov 2003 19:04:52 +0000 (+0000)
Subject: *   Limit LWT lookup string length
X-Git-Tag: v1_7_110~2^11~61
X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=5cbb9f41f469b97fc9915d6c7d7102620562fbdb;p=fs%2Flustre-release.git

*   Limit LWT lookup string length
---

diff --git a/lnet/libcfs/lwt.c b/lnet/libcfs/lwt.c
index 820b627..89fe8f7 100644
--- a/lnet/libcfs/lwt.c
+++ b/lnet/libcfs/lwt.c
@@ -59,6 +59,8 @@ int
 lwt_lookup_string (int *size, char *knl_ptr,
                    char *user_ptr, int user_size)
 {
+        int   maxsize = 128;
+        
         /* knl_ptr was retrieved from an LWT snapshot and the caller wants to
          * turn it into a string.  NB we can crash with an access violation
          * trying to determine the string length, so we're trusting our
@@ -67,12 +69,24 @@ lwt_lookup_string (int *size, char *knl_ptr,
         if (!capable(CAP_SYS_ADMIN))
                 return (-EPERM);
 
-        *size = strlen (knl_ptr) + 1;
-        
-        if (user_ptr != NULL &&
-            copy_to_user (user_ptr, knl_ptr, *size))
-                return (-EFAULT);
+        if (user_size > 0 && 
+            maxsize > user_size)
+                maxsize = user_size;
+
+        *size = strnlen (knl_ptr, maxsize - 1) + 1;
         
+        if (user_ptr != NULL) {
+                if (user_size < 4)
+                        return (-EINVAL);
+                
+                if (copy_to_user (user_ptr, knl_ptr, *size))
+                        return (-EFAULT);
+
+                /* Did I truncate the string?  */
+                if (knl_ptr[*size - 1] != 0)
+                        copy_to_user (user_ptr + *size - 4, "...", 4);
+        }
+
         return (0);
 }
 
diff --git a/lustre/portals/libcfs/lwt.c b/lustre/portals/libcfs/lwt.c
index 820b627..89fe8f7 100644
--- a/lustre/portals/libcfs/lwt.c
+++ b/lustre/portals/libcfs/lwt.c
@@ -59,6 +59,8 @@ int
 lwt_lookup_string (int *size, char *knl_ptr,
                    char *user_ptr, int user_size)
 {
+        int   maxsize = 128;
+        
         /* knl_ptr was retrieved from an LWT snapshot and the caller wants to
          * turn it into a string.  NB we can crash with an access violation
          * trying to determine the string length, so we're trusting our
@@ -67,12 +69,24 @@ lwt_lookup_string (int *size, char *knl_ptr,
         if (!capable(CAP_SYS_ADMIN))
                 return (-EPERM);
 
-        *size = strlen (knl_ptr) + 1;
-        
-        if (user_ptr != NULL &&
-            copy_to_user (user_ptr, knl_ptr, *size))
-                return (-EFAULT);
+        if (user_size > 0 && 
+            maxsize > user_size)
+                maxsize = user_size;
+
+        *size = strnlen (knl_ptr, maxsize - 1) + 1;
         
+        if (user_ptr != NULL) {
+                if (user_size < 4)
+                        return (-EINVAL);
+                
+                if (copy_to_user (user_ptr, knl_ptr, *size))
+                        return (-EFAULT);
+
+                /* Did I truncate the string?  */
+                if (knl_ptr[*size - 1] != 0)
+                        copy_to_user (user_ptr + *size - 4, "...", 4);
+        }
+
         return (0);
 }