ath10k: fix out of bounds access to local buffer

During write to debugfs file simulate_fw_crash, fixed-size local buffer 'buf' is accessed and modified at index 'count-1', where 'count' is the size of the write (so potentially out of bounds). This patch fixes this problem. Signed-off-by: Michael Mera <dev@michaelmera.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>

ath10k: fix out of bounds access to local buffer
During write to debugfs file simulate_fw_crash, fixed-size local buffer 'buf' is accessed and modified at index 'count-1', where 'count' is the size of the write (so potentially out of bounds). This patch fixes this problem. Signed-off-by: Michael Mera <dev@michaelmera.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
a16703aa · Michael Mera · Kalle Valo · d96db25d · a16703aa
Commit a16703aa authored Apr 24, 2017 by Michael Mera Committed by Kalle Valo May 04, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 6 deletions

drivers/net/wireless/ath/ath10k/debug.c drivers/net/wireless/ath/ath10k/debug.c +10 -6

No files found.
--- a/drivers/net/wireless/ath/ath10k/debug.c
+++ b/drivers/net/wireless/ath/ath10k/debug.c
@@ -625,17 +625,21 @@ static ssize_t ath10k_write_simulate_fw_crash(struct file *file,
 					      size_t count, loff_t *ppos)
 {
 	struct ath10k *ar = file->private_data;
-	char buf[32];
+	char buf[32] = {0};
+	ssize_t rc;
 	int ret;

-	simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
+	/* filter partial writes and invalid commands */
+	if (*ppos != 0 || count >= sizeof(buf) || count == 0)
+		return -EINVAL;

-	/* make sure that buf is null terminated */
-	buf[sizeof(buf) - 1] = 0;
+	rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
+	if (rc < 0)
+		return rc;

 	/* drop the possible '\n' from the end */
-	if (buf[count - 1] == '\n')
-		buf[count - 1] = 0;
+	if (buf[*ppos - 1] == '\n')
+		buf[*ppos - 1] = '\0';

 	mutex_lock(&ar->conf_mutex);