From 5799d9e2eab20ef694fb92a7636f451e1b0e456c Mon Sep 17 00:00:00 2001
From: Jim Meyering <jim@meyering.net>
Date: Tue, 17 Apr 2012 21:27:54 +0200
Subject: drm/nouveau/pm: don't read/write beyond end of stack buffer

NUL-terminate after strncpy.

If the parameter "profile" has length 16 or more, then strncpy
leaves "string" with no NUL terminator, so the following search
for '\n' may read beyond the end of that 16-byte buffer.
If it finds a newline there, then it will also write beyond the
end of that stack buffer.

Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

diff --git a/drivers/gpu/drm/nouveau/nouveau_pm.c b/drivers/gpu/drm/nouveau/nouveau_pm.c
index 34d591b..da3e7c3 100644
--- a/drivers/gpu/drm/nouveau/nouveau_pm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_pm.c
@@ -235,6 +235,7 @@ nouveau_pm_profile_set(struct drm_device *dev, const char *profile)
 		return -EPERM;
 
 	strncpy(string, profile, sizeof(string));
+	string[sizeof(string) - 1] = 0;
 	if ((ptr = strchr(string, '\n')))
 		*ptr = '\0';
 
-- 
cgit v0.10.2