[PATCH] drivers/net/wireless/iwlegacy: adding check length for parameter buf

[PATCH] drivers/net/wireless/iwlegacy: adding check length for parameter buf

[Chen Gang]

  the parameter 'const char *buf' may be not '\0' based string.
  so need check the length before use it.

additinal info:
  originally, it had the relative checking.
  but it was deleted when fix another issues (using strlcpy instead of
strncpy)
  and now, we need restore the checking (but still keep strlcpy)

Signed-off-by: Chen Gang <gang.chen-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
---
 drivers/net/wireless/iwlegacy/3945-mac.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c
b/drivers/net/wireless/iwlegacy/3945-mac.c
index 050ce7c..71cdbac 100644
--- a/drivers/net/wireless/iwlegacy/3945-mac.c
+++ b/drivers/net/wireless/iwlegacy/3945-mac.c
@@ -3273,7 +3273,7 @@ il3945_store_measurement(struct device *d, struct
device_attribute *attr,

 	if (count) {
 		char *p = buffer;
-		strlcpy(buffer, buf, sizeof(buffer));
+		strlcpy(buffer, buf, min(sizeof(buffer), count));
 		channel = simple_strtoul(p, NULL, 0);
 		if (channel)
 			params.channel = channel;
-- 
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] drivers/net/wireless/iwlegacy: adding check length for parameter buf

[Chen Gang F T]

[-- Attachment #1: Type: text/plain, Size: 1359 bytes --]

  oh, sorry, it is my fault.

  according to fill_write_buffer in fs/sysfs/file.c,
    we can assume that 'const char *buf' must be '\0' based string.

  please skip this patch.


gchen.


于 2013年01月20日 17:53, Chen Gang 写道:
> 
>   the parameter 'const char *buf' may be not '\0' based string.
>   so need check the length before use it.
> 
> additinal info:
>   originally, it had the relative checking.
>   but it was deleted when fix another issues (using strlcpy instead of
> strncpy)
>   and now, we need restore the checking (but still keep strlcpy)
> 
> Signed-off-by: Chen Gang <gang.chen-bOixZGp5f+dBDgjK7y7TUQ@public.gmane.org>
> ---
>  drivers/net/wireless/iwlegacy/3945-mac.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c
> b/drivers/net/wireless/iwlegacy/3945-mac.c
> index 050ce7c..71cdbac 100644
> --- a/drivers/net/wireless/iwlegacy/3945-mac.c
> +++ b/drivers/net/wireless/iwlegacy/3945-mac.c
> @@ -3273,7 +3273,7 @@ il3945_store_measurement(struct device *d, struct
> device_attribute *attr,
> 
>  	if (count) {
>  		char *p = buffer;
> -		strlcpy(buffer, buf, sizeof(buffer));
> +		strlcpy(buffer, buf, min(sizeof(buffer), count));
>  		channel = simple_strtoul(p, NULL, 0);
>  		if (channel)
>  			params.channel = channel;
> 


-- 
Chen Gang

Flying Transformer

[-- Attachment #2: chen_gang_flying_transformer.vcf --]
[-- Type: text/x-vcard, Size: 67 bytes --]

begin:vcard
fn:Chen Gang
n:;Chen Gang
version:2.1
end:vcard