From 9ccfcb131deda19ea930699047d879c07eced72e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Wcis=C5=82o?= Date: Thu, 26 Jun 2025 23:39:37 +0200 Subject: [PATCH] net: pktgen: fix access outside of user given buffer in pktgen_thread_write() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit jira VULN-70913 cve CVE-2025-38061 commit-author Peter Seiderer commit 425e64440ad0a2f03bdaf04be0ae53dededbaa77 Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer). Signed-off-by: Peter Seiderer Reviewed-by: Simon Horman Link: https://patch.msgid.link/20250219084527.20488-8-ps.report@gmx.net Signed-off-by: Jakub Kicinski (cherry picked from commit 425e64440ad0a2f03bdaf04be0ae53dededbaa77) Signed-off-by: Marcin Wcisło --- net/core/pktgen.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/core/pktgen.c b/net/core/pktgen.c index 09d9ef4cab8e2..19fbde1f151cd 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -1766,8 +1766,8 @@ static ssize_t pktgen_thread_write(struct file *file, i = len; /* Read variable name */ - - len = strn_len(&user_buffer[i], sizeof(name) - 1); + max = min(sizeof(name) - 1, count - i); + len = strn_len(&user_buffer[i], max); if (len < 0) return len; @@ -1797,7 +1797,8 @@ static ssize_t pktgen_thread_write(struct file *file, if (!strcmp(name, "add_device")) { char f[32]; memset(f, 0, 32); - len = strn_len(&user_buffer[i], sizeof(f) - 1); + max = min(sizeof(f) - 1, count - i); + len = strn_len(&user_buffer[i], max); if (len < 0) { ret = len; goto out;