On Mon, 2021-01-11 at 13:10 +0100, Johannes Berg wrote: > On Mon, 2021-01-11 at 14:19 +0800, Shayne Chen wrote: > > > > Regarding the case "10\n\0\0\0\0", both count and strlen() fail to get > > the correct strlen. > > Yeah. > > I don't think we need to worry about this case. > Got it. > > # echo "10\n\0\0\0\0" > /sys/kernel/debug/ieee80211/phy0/airtime_flags > > airtime_flags_write: count = 13, strlen = 15 > > > > + buf[count] = '\0'; > > > > > > But if count == sizeof(buf) then this is an out-of-bounds write. > > > > > > Same for all the other copied instances. > > > > > > johannes > > > > > > > Should we consider this kind of case here? > > Sure, we're at the kernel/userspace trust boundary, we can't just read > out-of-bounds? Or what do you mean? > > johannes > > Sorry, I put the reply in a wrong place. I meant should we consider the case "10\n\0\0\0\0" here. Will send v2, thank you. Shayne
