From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail.les.jabatus.fr ([109.234.163.26]:38556 "EHLO mail.les.jabatus.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1046244AbdDXFtX (ORCPT ); Mon, 24 Apr 2017 01:49:23 -0400 From: Michael Mera To: linux-wireless@vger.kernel.org Cc: Michael Mera , Kalle Valo Subject: [PATCH] ath10k: fix out of bounds access to local buffer Date: Mon, 24 Apr 2017 14:39:02 +0900 Message-Id: <20170424053902.1644-1-dev@michaelmera.com> (sfid-20170424_074929_123479_316D8408) Sender: linux-wireless-owner@vger.kernel.org List-ID: During write to debugfs file simulate_fw_crash, fixed-size local buffer 'buf' is accessed and modified at index 'count-1', where 'count' is the size of the write (so potentially out of bounds). This patch fixes this problem. Signed-off-by: Michael Mera --- drivers/net/wireless/ath/ath10k/debug.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c index fb0ade3adb07..7f3c17e55693 100644 --- a/drivers/net/wireless/ath/ath10k/debug.c +++ b/drivers/net/wireless/ath/ath10k/debug.c @@ -628,17 +628,21 @@ static ssize_t ath10k_write_simulate_fw_crash(struct file *file, size_t count, loff_t *ppos) { struct ath10k *ar = file->private_data; - char buf[32]; + char buf[32] = {0}; + ssize_t rc; int ret; - simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count); + /* filter partial writes and invalid commands */ + if (*ppos != 0 || count >= sizeof(buf) || count == 0) + return -EINVAL; - /* make sure that buf is null terminated */ - buf[sizeof(buf) - 1] = 0; + rc = simple_write_to_buffer(buf, sizeof(buf)-1, ppos, user_buf, count); + if (rc < 0) + return rc; /* drop the possible '\n' from the end */ - if (buf[count - 1] == '\n') - buf[count - 1] = 0; + if (buf[*ppos - 1] == '\n') + buf[*ppos - 1] = '\0'; mutex_lock(&ar->conf_mutex); -- 2.9.3