Search Linux Wireless

Re: [PATCH] mac80211: fix incorrect strlen of .write in debugfs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2021-01-08 at 21:02 +0100, Johannes Berg wrote:
> This looks wrong to me, am I missing something?
> 
> > diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
> > index 9135b6f..9991a6a 100644
> > --- a/net/mac80211/debugfs.c
> > +++ b/net/mac80211/debugfs.c
> > @@ -120,7 +120,6 @@ static ssize_t aqm_write(struct file *file,
> >  {
> >  	struct ieee80211_local *local = file->private_data;
> >  	char buf[100];
> > -	size_t len;
> >  
> >  	if (count > sizeof(buf))
> >  		return -EINVAL;
> 
> This ensures that count <= sizeof(buf)
> 
> > @@ -128,10 +127,10 @@ static ssize_t aqm_write(struct file *file,
> >  	if (copy_from_user(buf, user_buf, count))
> >  		return -EFAULT;
> 
> We copy, that's fine.
>  
> > -	buf[sizeof(buf) - 1] = '\0';
> > -	len = strlen(buf);
> > -	if (len > 0 && buf[len-1] == '\n')
> > -		buf[len-1] = 0;
> > +	if (count && buf[count - 1] == '\n')
> > +		buf[count - 1] = '\0';
> 
> This I think really was meant as strlen, because if you write something
> like
> 
>  10\n\0\0\0\0
> 
> before it would have parsed it as 10 still, now it gets confused?
> 
> I guess I'm not worried about that though.

I think the problem only happens on airtime_flags_write() that uses
kstrtou16()


> > +	buf[count] = '\0';
> 
> But if count == sizeof(buf) then this is an out-of-bounds write.

Right. Then, we can

 	if (count >= sizeof(buf))
		return -EINVAL;

Ryder







[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux