Re: [PATCH] rt2x00: unterminated strlen of user data

Souptick Joarder <jrdr.linux@xxxxxxxxx> · Wed, 17 Feb 2016 19:19:55 +0530

Hi Julian,

On Wed, Feb 17, 2016 at 5:38 AM, Julian Calaby <julian.calaby@xxxxxxxxx> wrote:
> Hi Souptick,
>
> On Tue, Feb 16, 2016 at 5:36 PM, Souptick Joarder <jrdr.linux@xxxxxxxxx> wrote:
>> On Tue, Feb 16, 2016 at 12:34 AM, Alan <gnomes@xxxxxxxxxxxxxxxxxxx> wrote:
>>> The buffer needs to be zero terminated in case the user data is not.
>>> Otherwise we run off the end of the buffer.
>>>
>>> Signed-off-by: Alan Cox <alan@xxxxxxxxxxxxxxx>
>>> ---
>>>  drivers/net/wireless/ralink/rt2x00/rt2x00debug.c |    5 +++--
>>>  1 file changed, 3 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00debug.c b/drivers/net/wireless/ralink/rt2x00/rt2x00debug.c
>>> index 25ee3cb..72ae530 100644
>>> --- a/drivers/net/wireless/ralink/rt2x00/rt2x00debug.c
>>> +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00debug.c
>>> @@ -478,7 +478,7 @@ static ssize_t rt2x00debug_write_##__name(struct file *file,        \
>>>  {                                                              \
>>>         struct rt2x00debug_intf *intf = file->private_data;     \
>>>         const struct rt2x00debug *debug = intf->debug;          \
>>> -       char line[16];                                          \
>>> +       char line[17];                                          \
>>>         size_t size;                                            \
>>>         unsigned int index = intf->offset_##__name;             \
>>>         __type value;                                           \
>>> @@ -494,7 +494,8 @@ static ssize_t rt2x00debug_write_##__name(struct file *file,        \
>>>                                                                 \
>>>         if (copy_from_user(line, buf, length))                  \
>>>                 return -EFAULT;                                 \
>>> -                                                               \
>>> +       line[16] = 0;
>>
>>             line[length] = '\0';
>>             correct me if I am wrong.                          \
>
> I believe that in this case the data in buf will already be null
> terminated, so ensuring that line is null terminated is only needed if
> there are exactly 16 bytes in buf. IMHO
>
> line[16] = 0;

I think, if there are 16 bytes in buf, we end up loosing 1 byte data.
If there are 15 bytes in buf, buf is already be null terminated.
So is this really required?
Correct me if I am wrong.
>
> is dealing with this bug much more explicitly than
>
> line[length] = 0;
>
> however either will work. (BTW '\0' is identical to 0.)
>
> Thanks,
>
> --
> Julian Calaby
>
> Email: julian.calaby@xxxxxxxxx
> Profile: http://www.google.com/profiles/julian.calaby/

-Souptick
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html