Some debugfs write() operations of the MVM Firmware will ignore the
count argument, and will copy more bytes than what was specified.
Fix this by getting the right count of bytes.
This will also honor restrictions put on the number of bytes to write.
To be consitant this patch also switches the initializer from
'char buf[x] = {}' to the explicit memset() as it is done in other
places of the same file.
Cc: [email protected]
Signed-off-by: Djalal Harouni <[email protected]>
---
Patch compile tested only.
Dual BSD/GPLv2 license: Ok
drivers/net/wireless/iwlwifi/mvm/debugfs.c | 28 ++++++++++++++++++++--------
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/iwlwifi/mvm/debugfs.c b/drivers/net/wireless/iwlwifi/mvm/debugfs.c
index 56f6827..ca368db 100644
--- a/drivers/net/wireless/iwlwifi/mvm/debugfs.c
+++ b/drivers/net/wireless/iwlwifi/mvm/debugfs.c
@@ -251,13 +251,16 @@ static ssize_t iwl_dbgfs_power_down_allow_write(struct file *file,
size_t count, loff_t *ppos)
{
struct iwl_mvm *mvm = file->private_data;
- char buf[8] = {};
+ char buf[8];
int allow;
if (!mvm->ucode_loaded)
return -EIO;
- if (copy_from_user(buf, user_buf, sizeof(buf)))
+ memset(buf, 0, sizeof(buf));
+ if (count > sizeof(buf) - 1)
+ count = sizeof(buf) - 1;
+ if (copy_from_user(buf, user_buf, count))
return -EFAULT;
if (sscanf(buf, "%d", &allow) != 1)
@@ -278,10 +281,13 @@ static ssize_t iwl_dbgfs_power_down_d3_allow_write(struct file *file,
size_t count, loff_t *ppos)
{
struct iwl_mvm *mvm = file->private_data;
- char buf[8] = {};
+ char buf[8];
int allow;
- if (copy_from_user(buf, user_buf, sizeof(buf)))
+ memset(buf, 0, sizeof(buf));
+ if (count > sizeof(buf) - 1)
+ count = sizeof(buf) - 1;
+ if (copy_from_user(buf, user_buf, count))
return -EFAULT;
if (sscanf(buf, "%d", &allow) != 1)
@@ -363,11 +369,14 @@ static ssize_t iwl_dbgfs_pm_params_write(struct file *file,
struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
struct iwl_mvm *mvm = mvmvif->dbgfs_data;
enum iwl_dbgfs_pm_mask param;
- char buf[32] = {};
+ char buf[32];
int val;
int ret;
- if (copy_from_user(buf, user_buf, sizeof(buf)))
+ memset(buf, 0, sizeof(buf));
+ if (count > sizeof(buf) - 1)
+ count = sizeof(buf) - 1;
+ if (copy_from_user(buf, user_buf, count))
return -EFAULT;
if (!strncmp("keep_alive=", buf, 11)) {
@@ -824,10 +833,13 @@ static ssize_t iwl_dbgfs_d3_sram_write(struct file *file,
size_t count, loff_t *ppos)
{
struct iwl_mvm *mvm = file->private_data;
- char buf[8] = {};
+ char buf[8];
int store;
- if (copy_from_user(buf, user_buf, sizeof(buf)))
+ memset(buf, 0, sizeof(buf));
+ if (count > sizeof(buf) - 1)
+ count = sizeof(buf) - 1;
+ if (copy_from_user(buf, user_buf, count))
return -EFAULT;
if (sscanf(buf, "%d", &store) != 1)
--
1.7.11.7
> Some debugfs write() operations of the MVM Firmware will ignore the count
> argument, and will copy more bytes than what was specified.
> Fix this by getting the right count of bytes.
>
> This will also honor restrictions put on the number of bytes to write.
That makes some sense.
> To be consitant this patch also switches the initializer from 'char buf[x] = {}' to
> the explicit memset() as it is done in other places of the same file.
I'd rather this (a) be done in a separate patch, and (b) the other way around, switch everything to C99.
> Cc: [email protected]
That doesn't really make sense for the debugfs interface.
> + memset(buf, 0, sizeof(buf));
> + if (count > sizeof(buf) - 1)
> + count = sizeof(buf) - 1;
Why -1? And why not use min()/min_t()?
johannes
--
Intel GmbH
Dornacher Strasse 1
85622 Feldkirchen/Muenchen, Deutschland
Sitz der Gesellschaft: Feldkirchen bei Muenchen
Geschaeftsfuehrer: Christian Lamprechter, Hannes Schwaderer, Douglas Lusk
Registergericht: Muenchen HRB 47456
Ust.-IdNr./VAT Registration No.: DE129385895
Citibank Frankfurt a.M. (BLZ 502 109 00) 600119052
On Mon, Aug 12, 2013 at 08:19:12AM +0000, Berg, Johannes wrote:
> > Some debugfs write() operations of the MVM Firmware will ignore the count
> > argument, and will copy more bytes than what was specified.
> > Fix this by getting the right count of bytes.
> >
> > This will also honor restrictions put on the number of bytes to write.
>
> That makes some sense.
And avoid strncmp() on garbage data.
> > To be consitant this patch also switches the initializer from 'char buf[x] = {}' to
> > the explicit memset() as it is done in other places of the same file.
>
> I'd rather this (a) be done in a separate patch, and (b) the other way around, switch everything to C99.
Ok
> > Cc: [email protected]
>
> That doesn't really make sense for the debugfs interface.
Ok
> > + memset(buf, 0, sizeof(buf));
> > + if (count > sizeof(buf) - 1)
> > + count = sizeof(buf) - 1;
>
> Why -1? And why not use min()/min_t()?
Yes -1 to be sure that the processed string is null terminated
Ok will use min_t
Will send a second version, Thanks!
> johannes
> --
>
> Intel GmbH
> Dornacher Strasse 1
> 85622 Feldkirchen/Muenchen, Deutschland
> Sitz der Gesellschaft: Feldkirchen bei Muenchen
> Geschaeftsfuehrer: Christian Lamprechter, Hannes Schwaderer, Douglas Lusk
> Registergericht: Muenchen HRB 47456
> Ust.-IdNr./VAT Registration No.: DE129385895
> Citibank Frankfurt a.M. (BLZ 502 109 00) 600119052
>
--
Djalal Harouni
http://opendz.org