On Sat, 7 Jun 2014, Manuel Schölling wrote: > dns_query() credulously assumes that keys are null-terminated and > returns a copy of a memory block that is off by one.
No sign-off? Please read Documentation/SubmittingPatches. > --- > net/dns_resolver/dns_query.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/dns_resolver/dns_query.c b/net/dns_resolver/dns_query.c > index e7b6d53..84871a2 100644 > --- a/net/dns_resolver/dns_query.c > +++ b/net/dns_resolver/dns_query.c > @@ -145,11 +145,11 @@ int dns_query(const char *type, const char *name, > size_t namelen, > len = upayload->datalen; > > ret = -ENOMEM; > - *_result = kmalloc(len + 1, GFP_KERNEL); > + *_result = kzalloc(len + 1, GFP_KERNEL); > if (!*_result) > goto put; > > - memcpy(*_result, upayload->data, len + 1); > + memcpy(*_result, upayload->data, len); > if (_expiry) > *_expiry = rkey->expiry; > kzalloc() would be unnecessary overhead (zeroing definitely comes with a cost) if you're going to copy to the memory immediately afterwards. Just leave the kmalloc(), do the memcpy() and explicitly zero terminate it _result.
