Honour the user given buffer size for the strn_len() calls (otherwise
strn_len() will access memory outside of the user given buffer).
Signed-off-by: Peter Seiderer <ps.rep...@gmx.net>
Reviewed-by: Simon Horman <ho...@kernel.org>
---
Changes v4 -> v5
- split up patchset into part i/ii (suggested by Simon Horman)
Changes v3 -> v4
- add rev-by Simon Horman
Changes v2 -> v3:
- no changes
Changes v1 -> v2:
- no changes
---
net/core/pktgen.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index f6e35ba035c7..55064713223e 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -1900,8 +1900,8 @@ static ssize_t pktgen_thread_write(struct file *file,
i = len;
/* Read variable name */
-
- len = strn_len(&user_buffer[i], sizeof(name) - 1);
+ max = min(sizeof(name) - 1, count - i);
+ len = strn_len(&user_buffer[i], max);
if (len < 0)
return len;
@@ -1931,7 +1931,8 @@ static ssize_t pktgen_thread_write(struct file *file,
if (!strcmp(name, "add_device")) {
char f[32];
memset(f, 0, 32);
- len = strn_len(&user_buffer[i], sizeof(f) - 1);
+ max = min(sizeof(f) - 1, count - i);
+ len = strn_len(&user_buffer[i], max);
if (len < 0) {
ret = len;
goto out;
--
2.48.1
