Commit ee0a4718 authored by Miaoqing Pan's avatar Miaoqing Pan Committed by Kalle Valo

ath9k: fix tx99 potential info leak

When the user sets count to zero the string buffer would remain
completely uninitialized which causes the kernel to parse its
own stack data, potentially leading to an info leak. In addition
to that, the string might be not terminated properly when the
user data does not contain a 0-terminator.
Signed-off-by: default avatarMiaoqing Pan <miaoqing@codeaurora.org>
Reviewed-by: default avatarChristoph Böhmwalder <christoph@boehmwalder.at>
Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
parent 2ea9f12c
......@@ -179,6 +179,9 @@ static ssize_t write_file_tx99(struct file *file, const char __user *user_buf,
ssize_t len;
int r;
if (count < 1)
return -EINVAL;
if (sc->cur_chan->nvifs > 1)
return -EOPNOTSUPP;
......@@ -186,6 +189,8 @@ static ssize_t write_file_tx99(struct file *file, const char __user *user_buf,
if (copy_from_user(buf, user_buf, len))
return -EFAULT;
buf[len] = '\0';
if (strtobool(buf, &start))
return -EINVAL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment