2013-01-20 10:05:05

by Chen Gang

[permalink] [raw]
Subject: [suggestion] drivers/net/wireless/iwlegacy: the parameter 'const char *buf' may be not '\0' base string for DINFO

Hello Stanislaw, John

we can not assume that the parameter 'const char *buf' is '\0' base string.
and DINOF uses '%s' for buf (in line 3288..3289)
so it will cause issue.

I am not quite familiar with the detail features.
so I send mail as a suggestion.
please help checking, if this suggestion is valid, please help fixing, thanks.

Regards

gchen.

3260 static ssize_t
3261 il3945_store_measurement(struct device *d, struct device_attribute *attr,
3262 const char *buf, size_t count)
3263 {
3264 struct il_priv *il = dev_get_drvdata(d);
3265 struct ieee80211_measurement_params params = {
3266 .channel = le16_to_cpu(il->active.channel),
3267 .start_time = cpu_to_le64(il->_3945.last_tsf),
3268 .duration = cpu_to_le16(1),
3269 };
3270 u8 type = IL_MEASURE_BASIC;
3271 u8 buffer[32];
3272 u8 channel;
3273
3274 if (count) {
3275 char *p = buffer;
3276 strlcpy(buffer, buf, min(sizeof(buffer), count));
3277 channel = simple_strtoul(p, NULL, 0);
3278 if (channel)
3279 params.channel = channel;
3280
3281 p = buffer;
3282 while (*p && *p != ' ')
3283 p++;
3284 if (*p)
3285 type = simple_strtoul(p + 1, NULL, 0);
3286 }
3287
3288 D_INFO("Invoking measurement of type %d on " "channel %d (for '%s')\n",
3289 type, params.channel, buf);
3290 il3945_get_measurement(il, &params, type);
3291
3292 return count;
3293 }
3294




--
Chen Gang

Asianux Corporation


2013-01-20 10:43:52

by Chen Gang F T

[permalink] [raw]
Subject: Re: [suggestion] drivers/net/wireless/iwlegacy: the parameter 'const char *buf' may be not '\0' base string for DINFO

oh, sorry, it is my fault.

according to fill_write_buffer in fs/sysfs/file.c,
we can assume that 'const char *buf' must be '\0' based string.

please skip this suggestion.


gchen.

?? 2013??01??20?? 18:05, Chen Gang ะด??:
> Hello Stanislaw, John
>
> we can not assume that the parameter 'const char *buf' is '\0' base string.
> and DINOF uses '%s' for buf (in line 3288..3289)
> so it will cause issue.
>
> I am not quite familiar with the detail features.
> so I send mail as a suggestion.
> please help checking, if this suggestion is valid, please help fixing, thanks.
>
> Regards
>
> gchen.
>
> 3260 static ssize_t
> 3261 il3945_store_measurement(struct device *d, struct device_attribute *attr,
> 3262 const char *buf, size_t count)
> 3263 {
> 3264 struct il_priv *il = dev_get_drvdata(d);
> 3265 struct ieee80211_measurement_params params = {
> 3266 .channel = le16_to_cpu(il->active.channel),
> 3267 .start_time = cpu_to_le64(il->_3945.last_tsf),
> 3268 .duration = cpu_to_le16(1),
> 3269 };
> 3270 u8 type = IL_MEASURE_BASIC;
> 3271 u8 buffer[32];
> 3272 u8 channel;
> 3273
> 3274 if (count) {
> 3275 char *p = buffer;
> 3276 strlcpy(buffer, buf, min(sizeof(buffer), count));
> 3277 channel = simple_strtoul(p, NULL, 0);
> 3278 if (channel)
> 3279 params.channel = channel;
> 3280
> 3281 p = buffer;
> 3282 while (*p && *p != ' ')
> 3283 p++;
> 3284 if (*p)
> 3285 type = simple_strtoul(p + 1, NULL, 0);
> 3286 }
> 3287
> 3288 D_INFO("Invoking measurement of type %d on " "channel %d (for '%s')\n",
> 3289 type, params.channel, buf);
> 3290 il3945_get_measurement(il, &params, type);
> 3291
> 3292 return count;
> 3293 }
> 3294
>
>
>
>


--
Chen Gang

Flying Transformer

Attachments:
chen_gang_flying_transformer.vcf (67.00 B)