Commit 4fa5b88e authored Aug 30, 2025 by Kaushlendra Kumar Committed by Andrew Morton Sep 21, 2025

tools/mm/slabinfo: fix access to null terminator in string boundary

The current code incorrectly accesses buffer[strlen(buffer)], which points
to the null terminator ('\0') at the end of the string.  This is
technically out-of-bounds access since valid string content ends at index
strlen(buffer)-1.

Fix by:
1. Declaring strlen() result variable at function scope
2. Adding bounds check (len > 0) to handle empty strings
3. Using buffer[len-1] to correctly access the last character before
   the null terminator

[kaushlendra.kumar@intel.com: remove unnecessary blank line]
  Link: https://lkml.kernel.org/r/20250901044955.3902815-1-kaushlendra.kumar@intel.com
Link: https://lkml.kernel.org/r/20250830172022.1927448-1-kaushlendra.kumar@intel.com


Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
Acked-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

parent 5a00878f

tools/mm/slabinfo.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -155,6 +155,7 @@ static void usage(void)

		static unsigned long read_obj(const char *name)
		{
		size_t len;
		FILE *f = fopen(name, "r");

		if (!f) {
		@@ -165,8 +166,10 @@ static unsigned long read_obj(const char *name)
		if (!fgets(buffer, sizeof(buffer), f))
		buffer[0] = 0;
		fclose(f);
		if (buffer[strlen(buffer)] == '\n')
		buffer[strlen(buffer)] = 0;
		len = strlen(buffer);

		if (len > 0 && buffer[len - 1] == '\n')
		buffer[len - 1] = 0;
		}
		return strlen(buffer);
		}