Re: [PATCH] tty: vt: keyboard: do not copy an extra-byte in copy_to_user

[Pavel Skripkin]

On 11/6/21 23:30, Ajay Garg wrote:
> > > 2.
> > > == Calculate the actual length of kbs, add 1, and then copy those many
> > > bytes to user-buffer ==
> > >
> > > ret = copy_to_user(user_kdgkb->kb_string, kbs, len + 1) ?
> > >                          -EFAULT : 0;
> > > =>
> > > ret = copy_to_user(user_kdgkb->kb_string, kbs, strlen(kbs) + 1) ?
> > >                          -EFAULT : 0;
> > >
> >
> > But isn't strlen(kbs) is guaranteed to be equal to strlcpy() return
> > value in this case? As I said in previous emails,
> > strlen(func_table[kb_func]) < sizeof(user_kdgkb->kb_string) by design of
> > this function.
>
> That's the whole point of the discussion :)
>
> The method "vt_do_kdgkb_ioctl" does not manage "func_table[kb_func]".
> Thus, the method does not know whether or not
> strlen(func_table[kb_func]) < sizeof(user_kdgkb->kb_string).

It manages. The code under `case KDSKBSENT:` sets func_table[] entries 
via vt_kdskbsent().

kbs = strndup_user(..., sizeof(user_kdgkb->kb_string));

is used to allocate buffer for the func_table[] entry. That's my main 
point :)




With regards,
Pavel Skripkin