Hi Souptick,
On Tue, Feb 16, 2016 at 5:36 PM, Souptick Joarder <jrdr.linux@xxxxxxxxx> wrote:
> On Tue, Feb 16, 2016 at 12:34 AM, Alan <gnomes@xxxxxxxxxxxxxxxxxxx> wrote:
>> The buffer needs to be zero terminated in case the user data is not.
>> Otherwise we run off the end of the buffer.
>>
>> Signed-off-by: Alan Cox <alan@xxxxxxxxxxxxxxx>
>> ---
>> drivers/net/wireless/ralink/rt2x00/rt2x00debug.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00debug.c b/drivers/net/wireless/ralink/rt2x00/rt2x00debug.c
>> index 25ee3cb..72ae530 100644
>> --- a/drivers/net/wireless/ralink/rt2x00/rt2x00debug.c
>> +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00debug.c
>> @@ -478,7 +478,7 @@ static ssize_t rt2x00debug_write_##__name(struct file *file, \
>> { \
>> struct rt2x00debug_intf *intf = file->private_data; \
>> const struct rt2x00debug *debug = intf->debug; \
>> - char line[16]; \
>> + char line[17]; \
>> size_t size; \
>> unsigned int index = intf->offset_##__name; \
>> __type value; \
>> @@ -494,7 +494,8 @@ static ssize_t rt2x00debug_write_##__name(struct file *file, \
>> \
>> if (copy_from_user(line, buf, length)) \
>> return -EFAULT; \
>> - \
>> + line[16] = 0;
>
> line[length] = '\0';
> correct me if I am wrong. \
I believe that in this case the data in buf will already be null
terminated, so ensuring that line is null terminated is only needed if
there are exactly 16 bytes in buf. IMHO
line[16] = 0;
is dealing with this bug much more explicitly than
line[length] = 0;
however either will work. (BTW '\0' is identical to 0.)
Thanks,
--
Julian Calaby
Email: julian.calaby@xxxxxxxxx
Profile: http://www.google.com/profiles/julian.calaby/
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
