Skip to content

Commit 499f93a

Browse files
pvts-matPlaidCat
pvts-mat
authored and
PlaidCat
committed
net: pktgen: fix access outside of user given buffer in pktgen_thread_write()
jira VULN-70907 cve CVE-2025-38061 commit-author Peter Seiderer <ps.report@gmx.net> commit 425e644 Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer). Signed-off-by: Peter Seiderer <ps.report@gmx.net> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20250219084527.20488-8-ps.report@gmx.net Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 425e644) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
1 parent ab8e5bf commit 499f93a

File tree

1 file changed

+4
-3
lines changed

1 file changed

+4
-3
lines changed

net/core/pktgen.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1777,8 +1777,8 @@ static ssize_t pktgen_thread_write(struct file *file,
17771777
i = len;
17781778

17791779
/* Read variable name */
1780-
1781-
len = strn_len(&user_buffer[i], sizeof(name) - 1);
1780+
max = min(sizeof(name) - 1, count - i);
1781+
len = strn_len(&user_buffer[i], max);
17821782
if (len < 0)
17831783
return len;
17841784

@@ -1808,7 +1808,8 @@ static ssize_t pktgen_thread_write(struct file *file,
18081808
if (!strcmp(name, "add_device")) {
18091809
char f[32];
18101810
memset(f, 0, 32);
1811-
len = strn_len(&user_buffer[i], sizeof(f) - 1);
1811+
max = min(sizeof(f) - 1, count - i);
1812+
len = strn_len(&user_buffer[i], max);
18121813
if (len < 0) {
18131814
ret = len;
18141815
goto out;

0 commit comments

Comments
 (0)