subject:"nla_put_string\(\) vs NLA_STRING"

Re: nla_put_string() vs NLA_STRING

2018-02-22 Thread Johannes Berg

On Tue, 2018-02-20 at 22:00 -0800, Kees Cook wrote: > It seems that in at least one case[1], nla_put_string() is being used > on an NLA_STRING, which lacks a NULL terminator, which leads to > silliness when nla_put_string() uses strlen() to figure out the size: Fun! I'm not a big fan of the

Re: nla_put_string() vs NLA_STRING

2018-02-22 Thread David Miller

From: Kees Cook Date: Tue, 20 Feb 2018 22:00:26 -0800 > So, this specific problem needs fixing (in at least two places calling > nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, ...)). While I suspect > it's only ever written an extra byte from the following variable in > the

nla_put_string() vs NLA_STRING

2018-02-20 Thread Kees Cook

Hi, It seems that in at least one case[1], nla_put_string() is being used on an NLA_STRING, which lacks a NULL terminator, which leads to silliness when nla_put_string() uses strlen() to figure out the size: /** * nla_put_string - Add a string netlink attribute to a socket buffer * @skb: