We supply number of bytes available in @alias via @len parameter to dev_set_alias() which is not the same as zero terminated string length that can be shorter.
Both dev_set_alias() users (rtnetlink and sysfs) can submit number of bytes up to IFALIASZ with actual string length slightly shorter by putting '\0' not at @len - 1. Use strnlen() to get length of zero terminated string and not access beyond @len. Correct comment about @len and explain how to unset alias (i.e. use zero for @len). Signed-off-by: Serhey Popovych <serhe.popov...@gmail.com> --- net/core/dev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/dev.c b/net/core/dev.c index b0eee49..d362fe6 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -1243,7 +1243,7 @@ int dev_change_name(struct net_device *dev, const char *newname) * dev_set_alias - change ifalias of a device * @dev: device * @alias: name up to IFALIASZ - * @len: limit of bytes to copy from info + * @len: number of bytes available in @alias, zero to unset current alias * * Set ifalias for a device, */ @@ -1255,6 +1255,8 @@ int dev_set_alias(struct net_device *dev, const char *alias, size_t len) return -EINVAL; if (len) { + len = strnlen(alias, len); + new_alias = kmalloc(sizeof(*new_alias) + len + 1, GFP_KERNEL); if (!new_alias) return -ENOMEM; -- 1.8.3.1