Skip to content

Commit fe9c582

Browse files
pvts-matPlaidCat
pvts-mat
authored and
PlaidCat
committed
net: pktgen: fix access outside of user given buffer in pktgen_thread_write()
jira VULN-70912 cve CVE-2025-38061 commit-author Peter Seiderer <ps.report@gmx.net> commit 425e644 Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer). Signed-off-by: Peter Seiderer <ps.report@gmx.net> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20250219084527.20488-8-ps.report@gmx.net Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 425e644) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
1 parent 759deb2 commit fe9c582

File tree

1 file changed

+4
-3
lines changed

1 file changed

+4
-3
lines changed

net/core/pktgen.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1766,8 +1766,8 @@ static ssize_t pktgen_thread_write(struct file *file,
17661766
i = len;
17671767

17681768
/* Read variable name */
1769-
1770-
len = strn_len(&user_buffer[i], sizeof(name) - 1);
1769+
max = min(sizeof(name) - 1, count - i);
1770+
len = strn_len(&user_buffer[i], max);
17711771
if (len < 0)
17721772
return len;
17731773

@@ -1797,7 +1797,8 @@ static ssize_t pktgen_thread_write(struct file *file,
17971797
if (!strcmp(name, "add_device")) {
17981798
char f[32];
17991799
memset(f, 0, 32);
1800-
len = strn_len(&user_buffer[i], sizeof(f) - 1);
1800+
max = min(sizeof(f) - 1, count - i);
1801+
len = strn_len(&user_buffer[i], max);
18011802
if (len < 0) {
18021803
ret = len;
18031804
goto out;

0 commit comments

Comments
 (0)