commit
369653e4fb511928511b0ce81f41c812ff1f28b6 upstream.
extract_param() is called with max_length set to the total size of the
output buffer. It's not safe to allow a parameter length equal to the
buffer size as the terminating null would be written one byte past the
end of the output buffer.
Signed-off-by: Eric Seppanen <eric@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
- if (len > max_length) {
+ if (len >= max_length) {
pr_err("Length of input: %d exeeds max_length:"
" %d\n", len, max_length);
return -1;
pr_err("Length of input: %d exeeds max_length:"
" %d\n", len, max_length);
return -1;