From f45655f6a65538237359abce55edab9cfcc6d82f Mon Sep 17 00:00:00 2001
From: Heiko Carstens <heiko.carstens@de.ibm.com>
Date: Thu, 21 Feb 2013 13:30:42 +0100
Subject: s390/uaccess: fix strncpy_from_user/strnlen_user zero maxlen case

If the maximum length specified for the to be accessed string for
strncpy_from_user() and strnlen_user() is zero the following incorrect
values would be returned or incorrect memory accesses would happen:

strnlen_user_std() and strnlen_user_pt() incorrectly return "1"
strncpy_from_user_pt() would incorrectly access "dst[maxlen - 1]"
strncpy_from_user_mvcos() would incorrectly return "-EFAULT"

Fix all these oddities by adding early checks.

Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
---
 arch/s390/lib/uaccess_pt.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'arch/s390/lib/uaccess_pt.c')

diff --git a/arch/s390/lib/uaccess_pt.c b/arch/s390/lib/uaccess_pt.c
index a70ee84c0241..c1aaf22c326b 100644
--- a/arch/s390/lib/uaccess_pt.c
+++ b/arch/s390/lib/uaccess_pt.c
@@ -172,6 +172,8 @@ static size_t strnlen_user_pt(size_t count, const char __user *src)
 	unsigned long offset, done, len, kaddr;
 	size_t len_str;
 
+	if (unlikely(!count))
+		return 0;
 	if (segment_eq(get_fs(), KERNEL_DS))
 		return strnlen((const char __kernel __force *) src, count) + 1;
 	done = 0;
@@ -202,6 +204,8 @@ static size_t strncpy_from_user_pt(size_t count, const char __user *src,
 {
 	size_t n = strnlen_user_pt(count, src);
 
+	if (unlikely(!count))
+		return 0;
 	if (!n)
 		return -EFAULT;
 	if (n > count)
-- 
cgit v1.2.3