[PATCH v4] tools/mm/slabinfo: fix access to null terminator in string boundary

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v4] tools/mm/slabinfo: fix access to null terminator in string boundary
@ 2025-09-01  4:49 Kaushlendra Kumar
  2025-09-02  3:32 ` SeongJae Park
  0 siblings, 1 reply; 2+ messages in thread
From: Kaushlendra Kumar @ 2025-09-01  4:49 UTC (permalink / raw)
  To: akpm; +Cc: linux-mm, Kaushlendra Kumar

The current code incorrectly accesses buffer[strlen(buffer)], which
points to the null terminator ('\0') at the end of the string. This is
technically out-of-bounds access since valid string content ends at
index strlen(buffer)-1.

Fix by:
1. Declaring strlen() result variable at function scope
2. Adding bounds check (len > 0) to handle empty strings
3. Using buffer[len-1] to correctly access the last character before
   the null terminator

Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
---
Changes in v2:
- Move variable declaration to function scope to avoid mixing
  declarations with statements (feedback from reviewer)

Changes in v3:
- Move changelog to comment section (feedback from reviewer)
- Remove unnecessary blank lines

Changes in v4:
- Remove changelog from comment section
---
 tools/mm/slabinfo.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/tools/mm/slabinfo.c b/tools/mm/slabinfo.c
index 1433eff99feb..80cdbd3db82d 100644
--- a/tools/mm/slabinfo.c
+++ b/tools/mm/slabinfo.c
@@ -155,6 +155,7 @@ static void usage(void)
 
 static unsigned long read_obj(const char *name)
 {
+	size_t len;
 	FILE *f = fopen(name, "r");
 
 	if (!f) {
@@ -165,8 +166,10 @@ static unsigned long read_obj(const char *name)
 		if (!fgets(buffer, sizeof(buffer), f))
 			buffer[0] = 0;
 		fclose(f);
-		if (buffer[strlen(buffer)] == '\n')
-			buffer[strlen(buffer)] = 0;
+		len = strlen(buffer);
+
+		if (len > 0 && buffer[len - 1] == '\n')
+			buffer[len - 1] = 0;
 	}
 	return strlen(buffer);
 }
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v4] tools/mm/slabinfo: fix access to null terminator in string boundary
  2025-09-01  4:49 [PATCH v4] tools/mm/slabinfo: fix access to null terminator in string boundary Kaushlendra Kumar
@ 2025-09-02  3:32 ` SeongJae Park
  0 siblings, 0 replies; 2+ messages in thread
From: SeongJae Park @ 2025-09-02  3:32 UTC (permalink / raw)
  To: Kaushlendra Kumar; +Cc: SeongJae Park, akpm, linux-mm

On Mon,  1 Sep 2025 10:19:55 +0530 Kaushlendra Kumar <kaushlendra.kumar@intel.com> wrote:

> The current code incorrectly accesses buffer[strlen(buffer)], which
> points to the null terminator ('\0') at the end of the string. This is
> technically out-of-bounds access since valid string content ends at
> index strlen(buffer)-1.
> 
> Fix by:
> 1. Declaring strlen() result variable at function scope
> 2. Adding bounds check (len > 0) to handle empty strings
> 3. Using buffer[len-1] to correctly access the last character before
>    the null terminator
> 
> Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com>

Acked-by: SeongJae Park <sj@kernel.org>


Thanks,
SJ

[...]


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-09-02  3:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-01  4:49 [PATCH v4] tools/mm/slabinfo: fix access to null terminator in string boundary Kaushlendra Kumar
2025-09-02  3:32 ` SeongJae Park

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).