From: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
Date: Sat, 30 Aug 2025 17:20:22 +0000 (+0530)
Subject: tools/mm/slabinfo: fix access to null terminator in string boundary
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=0ab6242bb167360511e25beeb0af8fd518dbdfd7;p=users%2Fjedix%2Flinux-maple.git

tools/mm/slabinfo: fix access to null terminator in string boundary

The current code incorrectly accesses buffer[strlen(buffer)], which points
to the null terminator ('\0') at the end of the string.  This is
technically out-of-bounds access since valid string content ends at index
strlen(buffer)-1.

Fix by:
1. Declaring strlen() result variable at function scope
2. Adding bounds check (len > 0) to handle empty strings
3. Using buffer[len-1] to correctly access the last character before
   the null terminator

Link: https://lkml.kernel.org/r/20250830172022.1927448-1-kaushlendra.kumar@intel.com
Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
Acked-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

diff --git a/tools/mm/slabinfo.c b/tools/mm/slabinfo.c
index 1433eff99feb..d2e5b4e232b1 100644
--- a/tools/mm/slabinfo.c
+++ b/tools/mm/slabinfo.c
@@ -155,6 +155,8 @@ static void usage(void)
 
 static unsigned long read_obj(const char *name)
 {
+	size_t len;
+
 	FILE *f = fopen(name, "r");
 
 	if (!f) {
@@ -165,8 +167,10 @@ static unsigned long read_obj(const char *name)
 		if (!fgets(buffer, sizeof(buffer), f))
 			buffer[0] = 0;
 		fclose(f);
-		if (buffer[strlen(buffer)] == '\n')
-			buffer[strlen(buffer)] = 0;
+		len = strlen(buffer);
+
+		if (len > 0 && buffer[len - 1] == '\n')
+			buffer[len - 1] = 0;
 	}
 	return strlen(buffer);
 }