Scanning for poossibly unbounded strlen() found the device/disk manager ioctls that do a double scan of the data to check whether the caller supplied buffer is large enough, and then to fill it.
If the buffer is too small the required size isn't returned. So simplify everything and make it all less likely to overrun the kernel buffer (copied back to user later) if anything changes between the scans. I managed a minimal test that the ioctls still work. David Laight (3): dm: __list_versions(): Only process targets once dm: list_devices(): Only process devices once dm: lookup_ioctl(): Use designated array initialers drivers/md/dm-ioctl.c | 207 +++++++++++++++++++----------------------- 1 file changed, 92 insertions(+), 115 deletions(-) -- 2.39.5
