[PATCH net-next v2 6/8] net: pktgen: fix access outside of user given buffer in pktgen_thread_write()

22 Jan 2025

Honour the user given buffer size for the strn_len() calls (otherwise
strn_len() will access memory outside of the user given buffer).
Signed-off-by: Peter Seiderer ps.report@gmx.net
---
Changes v1 -> v2:
  - no changes
---
 net/core/pktgen.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index c8a5b4d17407..9fe2a2db0d34 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -1898,8 +1898,8 @@ static ssize_t pktgen_thread_write(struct file *file,
    i = len;
/* Read variable name */
-
-	len = strn_len(&user_buffer[i], sizeof(name) - 1);
+	max = min(sizeof(name) - 1, count - i);
+	len = strn_len(&user_buffer[i], max);
    if (len < 0)
    	return len;
@@ -1929,7 +1929,8 @@ static ssize_t pktgen_thread_write(struct file *file,
    if (!strcmp(name, "add_device")) {
    	char f[32];
    	memset(f, 0, 32);
-		len = strn_len(&user_buffer[i], sizeof(f) - 1);
+		max = min(sizeof(f) - 1, count - i);
+		len = strn_len(&user_buffer[i], max);
    	if (len < 0) {
    		ret = len;
    		goto out;
-- 
2.48.1


    

2025

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH net-next v2 6/8] net: pktgen: fix access outside of user given buffer in pktgen_thread_write()