From patchwork Mon Jan 9 23:33:50 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brian Norris X-Patchwork-Id: 9506069 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id BC66F601EA for ; Mon, 9 Jan 2017 23:34:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AFE38284F3 for ; Mon, 9 Jan 2017 23:34:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A4B4E284F9; Mon, 9 Jan 2017 23:34:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7575C284F3 for ; Mon, 9 Jan 2017 23:34:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756204AbdAIXeL (ORCPT ); Mon, 9 Jan 2017 18:34:11 -0500 Received: from mail-pf0-f181.google.com ([209.85.192.181]:34129 "EHLO mail-pf0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753310AbdAIXeJ (ORCPT ); Mon, 9 Jan 2017 18:34:09 -0500 Received: by mail-pf0-f181.google.com with SMTP id 127so35446473pfg.1 for ; Mon, 09 Jan 2017 15:34:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id; bh=a77VJN0ckKSD/qDb2z4x+MCCmUjswXuISDkjbZPDfkY=; b=TbUubwPaCMrZPOpS6X25/V94YMW/u1tNk48nnjdwB3m74bGzaohC8zwUNKvQPep+5N 4+duKlLNQCQxNuuWvi6iyFau9VFneXH6HgFug2BWW9+Qdo1QPUtG+IPtI7zAPxGyHORp tcLdzveOePWCKbjNVrbArEFwNWAUewmnvqOUA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=a77VJN0ckKSD/qDb2z4x+MCCmUjswXuISDkjbZPDfkY=; b=VZ9rW4ewkYVW3ZzjfU8XAwnayk6TVNe8KSfY+MkcNPXlQlgmWa0pnMpKSYpIMG7QyN SvjQI989DUCUlbHi+rX3l+M+P4i/cMQumQOb/brhrX0Qivn5P+KMB+nwVdA2xZ3tKouK 5y9zwf2hWr9+Doz9VkOsDqJebpfs/M1JZwh409If9KzvQ2nCbmXVadsWxq3OA3YOcJc0 z7I4QOSqUl2hrKnWvA3MXmYhvHnmgvfSOxIRdHOdhbMLoE0oHuiNb0zuVLEaysgu0iRz dM4w4+vRD1oXT7LklaPrM//o5pfDjV3PI11K25oxaA2To15KlCKRSlg30MKC9SCntvS5 2ALg== X-Gm-Message-State: AIkVDXLmQ5Ju6trO6IxBtz2E1L5DW1FortpglexbIQSAsiXWiIBtVj0yOnret/5Xk2O4F2Ku X-Received: by 10.99.98.132 with SMTP id w126mr288849pgb.59.1484004848642; Mon, 09 Jan 2017 15:34:08 -0800 (PST) Received: from ban.mtv.corp.google.com ([172.22.64.120]) by smtp.gmail.com with ESMTPSA id n86sm42503pfb.45.2017.01.09.15.34.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 09 Jan 2017 15:34:07 -0800 (PST) From: Brian Norris To: Amitkumar Karwar , Nishant Sarmukadam Cc: , Kalle Valo , linux-wireless@vger.kernel.org, Cathy Luo , Brian Norris Subject: [PATCH] mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print Date: Mon, 9 Jan 2017 15:33:50 -0800 Message-Id: <20170109233350.134036-1-briannorris@chromium.org> X-Mailer: git-send-email 2.11.0.390.gc69c2f50cf-goog Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Similar to commit fcd2042e8d36 ("mwifiex: printk() overflow with 32-byte SSIDs"), we failed to account for the existence of 32-char SSIDs in our debugfs code. Unlike in that case though, we zeroed out the containing struct first, and I'm pretty sure we're guaranteed to have some padding after the 'ssid.ssid' and 'ssid.ssid_len' fields (the struct is 33 bytes long). So, this is the difference between: # cat /sys/kernel/debug/mwifiex/mlan0/info ... essid="0123456789abcdef0123456789abcdef " ... and the correct output: # cat /sys/kernel/debug/mwifiex/mlan0/info ... essid="0123456789abcdef0123456789abcdef" ... Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") Signed-off-by: Brian Norris --- Marking the 'Fixes' tag just for completeness, but AIUI, this isn't a security vulnerability (besides, it's debugfs), so it might not really warrant -stable. drivers/net/wireless/marvell/mwifiex/debugfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/marvell/mwifiex/debugfs.c b/drivers/net/wireless/marvell/mwifiex/debugfs.c index b9284b533294..ae2b69db5994 100644 --- a/drivers/net/wireless/marvell/mwifiex/debugfs.c +++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c @@ -114,7 +114,8 @@ mwifiex_info_read(struct file *file, char __user *ubuf, if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) { p += sprintf(p, "multicast_count=\"%d\"\n", netdev_mc_count(netdev)); - p += sprintf(p, "essid=\"%s\"\n", info.ssid.ssid); + p += sprintf(p, "essid=\"%.*s\"\n", info.ssid.ssid_len, + info.ssid.ssid); p += sprintf(p, "bssid=\"%pM\"\n", info.bssid); p += sprintf(p, "channel=\"%d\"\n", (int) info.bss_chan); p += sprintf(p, "country_code = \"%s\"\n", info.country_code);