On Mon, 2021-01-11 at 14:19 +0800, Shayne Chen wrote: > > Regarding the case "10\n\0\0\0\0", both count and strlen() fail to get > the correct strlen. Yeah. I don't think we need to worry about this case. > # echo "10\n\0\0\0\0" > /sys/kernel/debug/ieee80211/phy0/airtime_flags > airtime_flags_write: count = 13, strlen = 15 > > > + buf[count] = '\0'; > > > > But if count == sizeof(buf) then this is an out-of-bounds write. > > > > Same for all the other copied instances. > > > > johannes > > > > Should we consider this kind of case here? Sure, we're at the kernel/userspace trust boundary, we can't just read out-of-bounds? Or what do you mean? johannes
