nvmet: fixup crash on NULL device path

[linux-2.6-microblaze.git] / drivers / nvme / target / configfs.c

diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index ad9ff27..ebea137 100644 (file)
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -137,8 +137,10 @@ static ssize_t nvmet_addr_traddr_store(struct config_item *item,
                pr_err("Disable the address before modifying\n");
                return -EACCES;
        }
-       return snprintf(port->disc_addr.traddr,
-                       sizeof(port->disc_addr.traddr), "%s", page);
+
+       if (sscanf(page, "%s\n", port->disc_addr.traddr) != 1)
+               return -EINVAL;
+       return count;
 }
 
 CONFIGFS_ATTR(nvmet_, addr_traddr);
@@ -208,8 +210,10 @@ static ssize_t nvmet_addr_trsvcid_store(struct config_item *item,
                pr_err("Disable the address before modifying\n");
                return -EACCES;
        }
-       return snprintf(port->disc_addr.trsvcid,
-                       sizeof(port->disc_addr.trsvcid), "%s", page);
+
+       if (sscanf(page, "%s\n", port->disc_addr.trsvcid) != 1)
+               return -EINVAL;
+       return count;
 }
 
 CONFIGFS_ATTR(nvmet_, addr_trsvcid);
@@ -278,6 +282,7 @@ static ssize_t nvmet_ns_device_path_store(struct config_item *item,
 {
        struct nvmet_ns *ns = to_nvmet_ns(item);
        struct nvmet_subsys *subsys = ns->subsys;
+       size_t len;
        int ret;
 
        mutex_lock(&subsys->lock);
@@ -285,10 +290,14 @@ static ssize_t nvmet_ns_device_path_store(struct config_item *item,
        if (ns->enabled)
                goto out_unlock;
 
-       kfree(ns->device_path);
+       ret = -EINVAL;
+       len = strcspn(page, "\n");
+       if (!len)
+               goto out_unlock;
 
+       kfree(ns->device_path);
        ret = -ENOMEM;
-       ns->device_path = kstrdup(page, GFP_KERNEL);
+       ns->device_path = kstrndup(page, len, GFP_KERNEL);
        if (!ns->device_path)
                goto out_unlock;