diff options
| author | Anjaneyulu <[email protected]> | 2023-12-19 21:58:55 +0200 |
|---|---|---|
| committer | Johannes Berg <[email protected]> | 2023-12-21 20:35:16 +0100 |
| commit | cb2dfacb197bed0241fbb4f84bd0995a47f4465e (patch) | |
| tree | c0f3900405997327596a3e6850639fff78b9d7a5 | |
| parent | c5bfdb46636a2ea7f0678243c6d3e9f8d26b027a (diff) | |
wifi: iwlwifi: fix out of bound copy_from_user
The driver copies the userspace buffer into an internal NUL
byte terminated buffer. While doing so, it was reading beyond
the end of the userspace buffer, overwriting its own NUL
termination in the process.
Fix this by only copying the correct number of bytes.
Fixes: 3f244876ef73 ("wifi: iwlwifi: make debugfs entries link specific")
Signed-off-by: Anjaneyulu <[email protected]>
Reviewed-by: Gregory Greenman <[email protected]>
Reviewed-by: Benjamin Berg <[email protected]>
Signed-off-by: Miri Korenblit <[email protected]>
Link: https://msgid.link/20231219215605.e4913deb2ad4.Idcf6a7e909ff4b7801cd49c2f691f84a2f68eff9@changeid
Signed-off-by: Johannes Berg <[email protected]>
| -rw-r--r-- | drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c index e016fce7ab24..16a104de8371 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c @@ -1829,7 +1829,7 @@ static ssize_t _iwl_dbgfs_link_sta_##name##_write(struct file *file, \ char buf[buflen] = {}; \ size_t buf_size = min(count, sizeof(buf) - 1); \ \ - if (copy_from_user(buf, user_buf, sizeof(buf))) \ + if (copy_from_user(buf, user_buf, buf_size)) \ return -EFAULT; \ \ return _iwl_dbgfs_link_sta_wrap_write(iwl_dbgfs_##name##_write, \ |