[PATCH] mac80211: fix incorrect strlen of .write in debugfs
Johannes Berg
johannes at sipsolutions.net
Mon Jan 11 07:10:39 EST 2021
On Mon, 2021-01-11 at 14:19 +0800, Shayne Chen wrote:
>
> Regarding the case "10\n\0\0\0\0", both count and strlen() fail to get
> the correct strlen.
Yeah.
I don't think we need to worry about this case.
> # echo "10\n\0\0\0\0" > /sys/kernel/debug/ieee80211/phy0/airtime_flags
> airtime_flags_write: count = 13, strlen = 15
> > > + buf[count] = '\0';
> >
> > But if count == sizeof(buf) then this is an out-of-bounds write.
> >
> > Same for all the other copied instances.
> >
> > johannes
> >
>
> Should we consider this kind of case here?
Sure, we're at the kernel/userspace trust boundary, we can't just read
out-of-bounds? Or what do you mean?
johannes
More information about the Linux-mediatek
mailing list