Search Linux Wireless

Re: [PATCH] rt2x00: unterminated strlen of user data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Souptick,

On Tue, Feb 16, 2016 at 5:36 PM, Souptick Joarder <jrdr.linux@xxxxxxxxx> wrote:
> On Tue, Feb 16, 2016 at 12:34 AM, Alan <gnomes@xxxxxxxxxxxxxxxxxxx> wrote:
>> The buffer needs to be zero terminated in case the user data is not.
>> Otherwise we run off the end of the buffer.
>>
>> Signed-off-by: Alan Cox <alan@xxxxxxxxxxxxxxx>
>> ---
>>  drivers/net/wireless/ralink/rt2x00/rt2x00debug.c |    5 +++--
>>  1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00debug.c b/drivers/net/wireless/ralink/rt2x00/rt2x00debug.c
>> index 25ee3cb..72ae530 100644
>> --- a/drivers/net/wireless/ralink/rt2x00/rt2x00debug.c
>> +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00debug.c
>> @@ -478,7 +478,7 @@ static ssize_t rt2x00debug_write_##__name(struct file *file,        \
>>  {                                                              \
>>         struct rt2x00debug_intf *intf = file->private_data;     \
>>         const struct rt2x00debug *debug = intf->debug;          \
>> -       char line[16];                                          \
>> +       char line[17];                                          \
>>         size_t size;                                            \
>>         unsigned int index = intf->offset_##__name;             \
>>         __type value;                                           \
>> @@ -494,7 +494,8 @@ static ssize_t rt2x00debug_write_##__name(struct file *file,        \
>>                                                                 \
>>         if (copy_from_user(line, buf, length))                  \
>>                 return -EFAULT;                                 \
>> -                                                               \
>> +       line[16] = 0;
>
>             line[length] = '\0';
>             correct me if I am wrong.                          \

I believe that in this case the data in buf will already be null
terminated, so ensuring that line is null terminated is only needed if
there are exactly 16 bytes in buf. IMHO

line[16] = 0;

is dealing with this bug much more explicitly than

line[length] = 0;

however either will work. (BTW '\0' is identical to 0.)

Thanks,

-- 
Julian Calaby

Email: julian.calaby@xxxxxxxxx
Profile: http://www.google.com/profiles/julian.calaby/
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux