[PATCH] mac80211: fix incorrect strlen of .write in debugfs
Shayne Chen
shayne.chen at mediatek.com
Mon Jan 11 20:42:32 EST 2021
On Mon, 2021-01-11 at 13:10 +0100, Johannes Berg wrote:
> On Mon, 2021-01-11 at 14:19 +0800, Shayne Chen wrote:
> >
> > Regarding the case "10\n\0\0\0\0", both count and strlen() fail to get
> > the correct strlen.
>
> Yeah.
>
> I don't think we need to worry about this case.
>
Got it.
> > # echo "10\n\0\0\0\0" > /sys/kernel/debug/ieee80211/phy0/airtime_flags
> > airtime_flags_write: count = 13, strlen = 15
> > > > + buf[count] = '\0';
> > >
> > > But if count == sizeof(buf) then this is an out-of-bounds write.
> > >
> > > Same for all the other copied instances.
> > >
> > > johannes
> > >
> >
> > Should we consider this kind of case here?
>
> Sure, we're at the kernel/userspace trust boundary, we can't just read
> out-of-bounds? Or what do you mean?
>
> johannes
>
>
Sorry, I put the reply in a wrong place.
I meant should we consider the case "10\n\0\0\0\0" here.
Will send v2, thank you.
Shayne
More information about the Linux-mediatek
mailing list