Patch "netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write()" has been added to the 5.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write()

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netdevsim-add-trailing-zero-to-terminate-the-string-.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 4ba111f2425eba5a0785cd8bd834c3093888290f
Author: Zichen Xie <zichenxie0106@xxxxxxxxx>
Date:   Tue Oct 22 12:19:08 2024 -0500

    netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write()
    
    [ Upstream commit 4ce1f56a1eaced2523329bef800d004e30f2f76c ]
    
    This was found by a static analyzer.
    We should not forget the trailing zero after copy_from_user()
    if we will further do some string operations, sscanf() in this
    case. Adding a trailing zero will ensure that the function
    performs properly.
    
    Fixes: c6385c0b67c5 ("netdevsim: Allow reporting activity on nexthop buckets")
    Signed-off-by: Zichen Xie <zichenxie0106@xxxxxxxxx>
    Reviewed-by: Petr Machata <petrm@xxxxxxxxxx>
    Reviewed-by: Ido Schimmel <idosch@xxxxxxxxxx>
    Link: https://patch.msgid.link/20241022171907.8606-1-zichenxie0106@xxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/netdevsim/fib.c b/drivers/net/netdevsim/fib.c
index 14787d17f703f..b71414b3a1d40 100644
--- a/drivers/net/netdevsim/fib.c
+++ b/drivers/net/netdevsim/fib.c
@@ -1366,10 +1366,12 @@ static ssize_t nsim_nexthop_bucket_activity_write(struct file *file,
 
 	if (pos != 0)
 		return -EINVAL;
-	if (size > sizeof(buf))
+	if (size > sizeof(buf) - 1)
 		return -EINVAL;
 	if (copy_from_user(buf, user_buf, size))
 		return -EFAULT;
+	buf[size] = 0;
+
 	if (sscanf(buf, "%u %hu", &nhid, &bucket_index) != 2)
 		return -EINVAL;
 




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux