| Message ID | 20170109233350.134036-1-briannorris@chromium.org (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 6183468a23fc6b6903f8597982017ad2c7fdefcf |
| Delegated to: | Kalle Valo |
| Headers | show |
Brian Norris <briannorris@chromium.org> wrote: > Similar to commit fcd2042e8d36 ("mwifiex: printk() overflow with 32-byte > SSIDs"), we failed to account for the existence of 32-char SSIDs in our > debugfs code. Unlike in that case though, we zeroed out the containing > struct first, and I'm pretty sure we're guaranteed to have some padding > after the 'ssid.ssid' and 'ssid.ssid_len' fields (the struct is 33 bytes > long). > > So, this is the difference between: > > # cat /sys/kernel/debug/mwifiex/mlan0/info > ... > essid="0123456789abcdef0123456789abcdef " > ... > > and the correct output: > > # cat /sys/kernel/debug/mwifiex/mlan0/info > ... > essid="0123456789abcdef0123456789abcdef" > ... > > Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") > Signed-off-by: Brian Norris <briannorris@chromium.org> Patch applied to wireless-drivers-next.git, thanks. 6183468a23fc mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print
diff --git a/drivers/net/wireless/marvell/mwifiex/debugfs.c b/drivers/net/wireless/marvell/mwifiex/debugfs.c index b9284b533294..ae2b69db5994 100644 --- a/drivers/net/wireless/marvell/mwifiex/debugfs.c +++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c @@ -114,7 +114,8 @@ mwifiex_info_read(struct file *file, char __user *ubuf, if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) { p += sprintf(p, "multicast_count=\"%d\"\n", netdev_mc_count(netdev)); - p += sprintf(p, "essid=\"%s\"\n", info.ssid.ssid); + p += sprintf(p, "essid=\"%.*s\"\n", info.ssid.ssid_len, + info.ssid.ssid); p += sprintf(p, "bssid=\"%pM\"\n", info.bssid); p += sprintf(p, "channel=\"%d\"\n", (int) info.bss_chan); p += sprintf(p, "country_code = \"%s\"\n", info.country_code);
Similar to commit fcd2042e8d36 ("mwifiex: printk() overflow with 32-byte SSIDs"), we failed to account for the existence of 32-char SSIDs in our debugfs code. Unlike in that case though, we zeroed out the containing struct first, and I'm pretty sure we're guaranteed to have some padding after the 'ssid.ssid' and 'ssid.ssid_len' fields (the struct is 33 bytes long). So, this is the difference between: # cat /sys/kernel/debug/mwifiex/mlan0/info ... essid="0123456789abcdef0123456789abcdef " ... and the correct output: # cat /sys/kernel/debug/mwifiex/mlan0/info ... essid="0123456789abcdef0123456789abcdef" ... Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") Signed-off-by: Brian Norris <briannorris@chromium.org> --- Marking the 'Fixes' tag just for completeness, but AIUI, this isn't a security vulnerability (besides, it's debugfs), so it might not really warrant -stable. drivers/net/wireless/marvell/mwifiex/debugfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)