Hello Dan,
I will create a patch (in the short term, couple of days) to address the
issues you detected below. Since this patch [061/119] does not regress
behavior, is it ok with you to *not* drop it ?
@@ -1046,7 +1038,7 @@ void brcmf_c_pktfilter_offload_set(dhd_pub_t *dhd, char *arg)
memcpy(arg_save, arg, strlen(arg) + 1);
- if (strlen(arg)> BUF_SIZE) {
+ if (strlen(arg)> PKTFILTER_BUF_SIZE) {
strlen() doesn't include the NULL terminator so probably this test
is off by one. I didn't actually follow the code through to see
where the buffer overflow happens. The arg_save buffer is
dynamically allocated to the correct size... buf was the only
buffer that is PKTFILTER_BUF_SIZE and it stores a different string.
(maybe the test can just be removed?).
I agree, the test is useless. So I will remove it.
This whole function could be cleaned up with regards to string
handling.
For example:
str = "pkt_filter_add";
str_len = strlen(str);
strncpy(buf, str, str_len);
buf[str_len] = '\0';
could be replaced with:
strcpy(buf, "pkt_filter_add");
DHD_ERROR(("Not enough buffer %d< %d\n", (int)strlen(arg),
(int)sizeof(buf)));
goto fail;
Not completely, since variable 'str_len' is used in subsequent code. But
this code snippet can be simplified. Will work on it.
Thanks for the feedback,
Roland.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
