Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a16703aa authored by Michael Mera's avatar Michael Mera Committed by Kalle Valo
Browse files

ath10k: fix out of bounds access to local buffer 



During write to debugfs file simulate_fw_crash, fixed-size local buffer
'buf' is accessed and modified at index 'count-1', where 'count' is the
size of the write (so potentially out of bounds).
This patch fixes this problem.

Signed-off-by: default avatarMichael Mera <dev@michaelmera.com>
Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
parent d96db25d

drivers/net/wireless/ath/ath10k/debug.c

+10 −6
Original line number Original line Diff line number Diff line
@@ -625,17 +625,21 @@ static ssize_t ath10k_write_simulate_fw_crash(struct file *file, 
					      size_t count, loff_t *ppos)

					      size_t count, loff_t *ppos)

{

{

	struct ath10k *ar = file->private_data;

	struct ath10k *ar = file->private_data;

	char buf[32];

	char buf[32] = {0};

	ssize_t rc;

	int ret;

	int ret;





	simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);

	/* filter partial writes and invalid commands */

	if (*ppos != 0 || count >= sizeof(buf) || count == 0)

		return -EINVAL;





	/* make sure that buf is null terminated */

	rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);

	buf[sizeof(buf) - 1] = 0;

	if (rc < 0)

		return rc;





	/* drop the possible '\n' from the end */

	/* drop the possible '\n' from the end */

	if (buf[count - 1] == '\n')

	if (buf[*ppos - 1] == '\n')

		buf[count - 1] = 0;

		buf[*ppos - 1] = '\0';





	mutex_lock(&ar->conf_mutex);

	mutex_lock(&ar->conf_mutex);