This looks wrong to me, am I missing something?
> diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
> index 9135b6f..9991a6a 100644
> --- a/net/mac80211/debugfs.c
> +++ b/net/mac80211/debugfs.c
> @@ -120,7 +120,6 @@ static ssize_t aqm_write(struct file *file,
> {
> struct ieee80211_local *local = file->private_data;
> char buf[100];
> - size_t len;
>
> if (count > sizeof(buf))
> return -EINVAL;
This ensures that count <= sizeof(buf)
> @@ -128,10 +127,10 @@ static ssize_t aqm_write(struct file *file,
> if (copy_from_user(buf, user_buf, count))
> return -EFAULT;
We copy, that's fine.
> - buf[sizeof(buf) - 1] = '\0';
> - len = strlen(buf);
> - if (len > 0 && buf[len-1] == '\n')
> - buf[len-1] = 0;
> + if (count && buf[count - 1] == '\n')
> + buf[count - 1] = '\0';
This I think really was meant as strlen, because if you write something
like
10\n\0\0\0\0
before it would have parsed it as 10 still, now it gets confused?
I guess I'm not worried about that though.
> + buf[count] = '\0';
But if count == sizeof(buf) then this is an out-of-bounds write.
Same for all the other copied instances.
johannes
