Re: [PATCH 061/119] staging: brcm80211: further renaming in fullmac sources

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Dan,

I will create a patch (in the short term, couple of days) to address the issues you detected below. Since this patch [061/119] does not regress behavior, is it ok with you to *not* drop it ?

@@ -1046,7 +1038,7 @@ void brcmf_c_pktfilter_offload_set(dhd_pub_t *dhd, char *arg)

  	memcpy(arg_save, arg, strlen(arg) + 1);

-	if (strlen(arg)>  BUF_SIZE) {
+	if (strlen(arg)>  PKTFILTER_BUF_SIZE) {

strlen() doesn't include the NULL terminator so probably this test
is off by one.  I didn't actually follow the code through to see
where the buffer overflow happens.  The arg_save buffer is
dynamically allocated to the correct size...  buf was the only
buffer that is PKTFILTER_BUF_SIZE and it stores a different string.

(maybe the test can just be removed?).

I agree, the test is useless. So I will remove it.

This whole function could be cleaned up with regards to string
handling.

For example:
	str = "pkt_filter_add";
	str_len = strlen(str);
	strncpy(buf, str, str_len);
	buf[str_len] = '\0';

could be replaced with:
	strcpy(buf, "pkt_filter_add");

  		DHD_ERROR(("Not enough buffer %d<  %d\n", (int)strlen(arg),
  			   (int)sizeof(buf)));
  		goto fail;

Not completely, since variable 'str_len' is used in subsequent code. But this code snippet can be simplified. Will work on it.

Thanks for the feedback,

Roland.

_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel


[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux