On Mon, Oct 24, 2011 at 10:05 PM, Nicholas A. Bellinger
<n...@linux-iscsi.org> wrote:
> On Mon, 2011-10-24 at 21:58 +0200, Bart Van Assche wrote:
>> On Mon, Oct 24, 2011 at 9:49 PM, Nicholas A. Bellinger
>> <n...@linux-iscsi.org> wrote:
>> > On Mon, 2011-10-24 at 21:44 +0200, Bart Van Assche wrote:
>> >> On Mon, Oct 24, 2011 at 7:33 AM, Nicholas A. Bellinger
>> >> <n...@linux-iscsi.org> wrote:
>> >> > +static ssize_t srpt_tpg_attrib_store_srp_max_rsp_size(
>> >> > + struct se_portal_group *se_tpg,
>> >> > + const char *page,
>> >> > + size_t count)
>> >> > +{
>> >> > + struct srpt_port *sport = container_of(se_tpg, struct
>> >> > srpt_port, port_tpg_1);
>> >> > + unsigned long val;
>> >> > + int ret;
>> >> > +
>> >> > + ret = strict_strtoul(page, 0, &val);
>> >>
>> >> If the data "page" points at only consists of digits, the above
>> >> strict_strtoul() call will trigger a past-end-of-buffer read.
>> >
>> > I don't understand what you mean here. Can you provide a test case to
>> > demonstrate please..?
>>
>> echo -n "345" >$configfs_path_of_parameter.
>
> Still not sure what your getting at here..?
Only the data in page[0..count-1] is guaranteed to be initialized.
strict_strtoul() will read until it either finds whitespace or a
binary zero, so if the data in page[] does neither contain whitespace
nor a binary zero then strict_strtoul() will read past the end of the
data in page[]. There may be any data at page[count], including a
valid digit.
Bart.
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
