From 183c77ad6d6a64a7715a5e95fd8e68986019c3b2 Mon Sep 17 00:00:00 2001 From: norly Date: Tue, 19 Feb 2019 22:10:16 +0100 Subject: [PATCH] ioctl(SIOCGIFNAME): Copy at most IFNAMSIZ bytes, but less if possible Thus, we don't leak any trailing bytes that may be in the name buffer. --- module/elmcan.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/module/elmcan.c b/module/elmcan.c index 10ca308..538134c 100644 --- a/module/elmcan.c +++ b/module/elmcan.c @@ -1273,13 +1273,15 @@ static int elmcan_ldisc_ioctl(struct tty_struct *tty, struct file *file, unsigned int cmd, unsigned long arg) { struct elmcan *elm = get_elm(tty); + unsigned int tmp; if (!elm) return -EINVAL; switch (cmd) { case SIOCGIFNAME: - if (copy_to_user((void __user *)arg, elm->dev->name, IFNAMSIZ)) { + tmp = strnlen(elm->dev->name, IFNAMSIZ - 1) + 1; + if (copy_to_user((void __user *)arg, elm->dev->name, tmp)) { put_elm(elm); return -EFAULT; } -- 2.30.2