On Thursday 03 December 2015 12:26:34 Lee Jones wrote:

quoted

quoted

+static ssize_t rproc_state_write(struct file *filp, const char __user *userbuf,
+                                size_t count, loff_t *ppos)
+{
+       struct rproc *rproc = filp->private_data;
+       char buf[10];
+       int ret;
+
+       if (count > sizeof(buf))
+               return count;
+       ret = copy_from_user(buf, userbuf, count);
+       if (ret)
+               return -EFAULT;
+
+       if (buf[count - 1] == '\n')
+               buf[count - 1] = '\0';

I believe you can get here with count = 0.

I'm pretty sure you can't.

If you are sure that you can, if you can provide me with a way of
testing, I'd be happy to put in provisions.

I think that a zero-length write() from user space ends up in the write
file operation.

Also, we get a gcc warning about the out-of-bounds access for code like
this, and checking that count is larger than zero avoids the warning.

	Arnd