Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp2970152pxb; Tue, 12 Jan 2021 03:11:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJyhFAyMoa76ARsWyhB6DJMq86oYN6KJduD7+oT57J8z6rb+cXHyKjfS0KJnxum6fvJNLP4D X-Received: by 2002:aa7:c919:: with SMTP id b25mr2834985edt.108.1610449908213; Tue, 12 Jan 2021 03:11:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610449908; cv=none; d=google.com; s=arc-20160816; b=oXDUFpa+pbLN9hGg17MmaP4lERsvs1xE7DmZ9CfiNAsGtimRFOx/J7HlHPFf5C1GU7 i7dzpQztx96loRQsupePx/QRZ5uR9LklBbc+8vGK5simVlfU6EO7zo2LbREt2cXNC0y3 EinaqKAdYx6sypZuQoYAK6jLZ/UK/Qq9wQ/6imCMyOcGJLhCSqpUVD3HDyFAEmLwPYJD o6hco0ZSCCEuHUgXMxSwICM+Iemasl8ad249zxud6tRdpvru/Ax7aQ0j1QdBBeYDTKpw ysLaxQReZFUfUvXZWw2ZJD0E9dEcRrGSCsR/Qa3a20pFSP6ZUL2LiwP9y/MXwnedGlYz Lqfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=TzQEAV/CtD979x6DEQpAcc7tLfFsYjuyvjcvCSzQ0wI=; b=qo1BKJoUr5IbR1SXOExccVXSznYfPy5hZ8azy59dBBBKkoRW8o79IPYA3DLtREZtwd 4IxUyX+wtiHe7P8s/Jv0RRmcTIlQSNxjNUGlJB1wBCawVXyximL7g5zWWQ+JOnmtke4I 5AhobzNpB4hulMnK+5PTQHR2O/9vAgfxXDVaPyvWBD32iXIUwpnjDbZRGIuj6rGMgD+b 4vCMTjv3EdptRwuF8bQQNkFjBkQK9BDyW5FThOnypN4BvIEWYW4Jh5t0+qn5P+YOWDZA cTavu/jRJfdcpGCU0l44a4gbbiwCyiadARNGrTHcrN/cQ9z3MZhxjgmipFAHbf66kjwJ 35uQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k16si1170009edr.236.2021.01.12.03.11.25; Tue, 12 Jan 2021 03:11:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726866AbhALD03 (ORCPT + 99 others); Mon, 11 Jan 2021 22:26:29 -0500 Received: from mailgw02.mediatek.com ([210.61.82.184]:34872 "EHLO mailgw02.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1725885AbhALD03 (ORCPT ); Mon, 11 Jan 2021 22:26:29 -0500 X-UUID: 1626aee34ba5497bb7d5913a80228cce-20210112 X-UUID: 1626aee34ba5497bb7d5913a80228cce-20210112 Received: from mtkexhb01.mediatek.inc [(172.21.101.102)] by mailgw02.mediatek.com (envelope-from ) (Cellopoint E-mail Firewall v4.1.14 Build 0819 with TLSv1.2 ECDHE-RSA-AES256-SHA384 256/256) with ESMTP id 96550990; Tue, 12 Jan 2021 11:20:31 +0800 Received: from MTKCAS06.mediatek.inc (172.21.101.30) by mtkmbs06n1.mediatek.inc (172.21.101.129) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 12 Jan 2021 11:20:30 +0800 Received: from mtksdccf07.mediatek.inc (172.21.84.99) by MTKCAS06.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Tue, 12 Jan 2021 11:20:30 +0800 From: Shayne Chen To: linux-wireless CC: Johannes Berg , =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , Felix Fietkau , Lorenzo Bianconi , Ryder Lee , linux-mediatek , Shayne Chen , Sujuan Chen Subject: [PATCH v2] mac80211: fix incorrect strlen of .write in debugfs Date: Tue, 12 Jan 2021 11:20:28 +0800 Message-ID: <20210112032028.7482-1-shayne.chen@mediatek.com> X-Mailer: git-send-email 2.18.0 MIME-Version: 1.0 Content-Type: text/plain X-MTK: N Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org This fixes strlen mismatch problems happening in some .write callbacks of debugfs. When trying to configure airtime_flags in debugfs, an error appeared: ash: write error: Invalid argument The error is returned from kstrtou16() since a wrong length makes it miss the real end of input string. To fix this, use count as the string length, and set proper end of string for a char buffer. The debug print is shown - airtime_flags_write: count = 2, len = 8, where the actual length is 2, but "len = strlen(buf)" gets 8. Also cleanup the other similar cases for the sake of consistency. Signed-off-by: Sujuan Chen Signed-off-by: Ryder Lee Signed-off-by: Shayne Chen --- v2: - fix r/w buffer OOB - put buf[count] = '\0' to an else --- net/mac80211/debugfs.c | 44 +++++++++++++++++++----------------------- 1 file changed, 20 insertions(+), 24 deletions(-) diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c index 48f144f107d5..9e723d943421 100644 --- a/net/mac80211/debugfs.c +++ b/net/mac80211/debugfs.c @@ -120,18 +120,17 @@ static ssize_t aqm_write(struct file *file, { struct ieee80211_local *local = file->private_data; char buf[100]; - size_t len; - if (count > sizeof(buf)) + if (count >= sizeof(buf)) return -EINVAL; if (copy_from_user(buf, user_buf, count)) return -EFAULT; - buf[sizeof(buf) - 1] = '\0'; - len = strlen(buf); - if (len > 0 && buf[len-1] == '\n') - buf[len-1] = 0; + if (count && buf[count - 1] == '\n') + buf[count - 1] = '\0'; + else + buf[count] = '\0'; if (sscanf(buf, "fq_limit %u", &local->fq.limit) == 1) return count; @@ -177,18 +176,17 @@ static ssize_t airtime_flags_write(struct file *file, { struct ieee80211_local *local = file->private_data; char buf[16]; - size_t len; - if (count > sizeof(buf)) + if (count >= sizeof(buf)) return -EINVAL; if (copy_from_user(buf, user_buf, count)) return -EFAULT; - buf[sizeof(buf) - 1] = 0; - len = strlen(buf); - if (len > 0 && buf[len - 1] == '\n') - buf[len - 1] = 0; + if (count && buf[count - 1] == '\n') + buf[count - 1] = '\0'; + else + buf[count] = '\0'; if (kstrtou16(buf, 0, &local->airtime_flags)) return -EINVAL; @@ -237,20 +235,19 @@ static ssize_t aql_txq_limit_write(struct file *file, { struct ieee80211_local *local = file->private_data; char buf[100]; - size_t len; u32 ac, q_limit_low, q_limit_high, q_limit_low_old, q_limit_high_old; struct sta_info *sta; - if (count > sizeof(buf)) + if (count >= sizeof(buf)) return -EINVAL; if (copy_from_user(buf, user_buf, count)) return -EFAULT; - buf[sizeof(buf) - 1] = 0; - len = strlen(buf); - if (len > 0 && buf[len - 1] == '\n') - buf[len - 1] = 0; + if (count && buf[count - 1] == '\n') + buf[count - 1] = '\0'; + else + buf[count] = '\0'; if (sscanf(buf, "%u %u %u", &ac, &q_limit_low, &q_limit_high) != 3) return -EINVAL; @@ -306,18 +303,17 @@ static ssize_t force_tx_status_write(struct file *file, { struct ieee80211_local *local = file->private_data; char buf[3]; - size_t len; - if (count > sizeof(buf)) + if (count >= sizeof(buf)) return -EINVAL; if (copy_from_user(buf, user_buf, count)) return -EFAULT; - buf[sizeof(buf) - 1] = '\0'; - len = strlen(buf); - if (len > 0 && buf[len - 1] == '\n') - buf[len - 1] = 0; + if (count && buf[count - 1] == '\n') + buf[count - 1] = '\0'; + else + buf[count] = '\0'; if (buf[0] == '0' && buf[1] == '\0') local->force_tx_status = 0; -- 2.29.2