From 5799d9e2eab20ef694fb92a7636f451e1b0e456c Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Tue, 17 Apr 2012 21:27:54 +0200 Subject: drm/nouveau/pm: don't read/write beyond end of stack buffer NUL-terminate after strncpy. If the parameter "profile" has length 16 or more, then strncpy leaves "string" with no NUL terminator, so the following search for '\n' may read beyond the end of that 16-byte buffer. If it finds a newline there, then it will also write beyond the end of that stack buffer. Signed-off-by: Jim Meyering Signed-off-by: Dave Airlie --- drivers/gpu/drm/nouveau/nouveau_pm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/nouveau/nouveau_pm.c b/drivers/gpu/drm/nouveau/nouveau_pm.c index 34d591b7d4ef..da3e7c3abab7 100644 --- a/drivers/gpu/drm/nouveau/nouveau_pm.c +++ b/drivers/gpu/drm/nouveau/nouveau_pm.c @@ -235,6 +235,7 @@ nouveau_pm_profile_set(struct drm_device *dev, const char *profile) return -EPERM; strncpy(string, profile, sizeof(string)); + string[sizeof(string) - 1] = 0; if ((ptr = strchr(string, '\n'))) *ptr = '\0'; -- cgit v1.2.3