net: pktgen: fix access outside of user given buffer in pktgen_thread_write()

[ Upstream commit 425e64440ad0a2f03bdaf04be0ae53dededbaa77 ]

Honour the user given buffer size for the strn_len() calls (otherwise
strn_len() will access memory outside of the user given buffer).

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250219084527.20488-8-ps.report@gmx.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 6ea34c95179f40d001f138ca225201ee75ba0ec6..d3a76e81dd886383561acfe3815d4078501709d3 100644 (file)
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -1898,8 +1898,8 @@ static ssize_t pktgen_thread_write(struct file *file,
        i = len;
 
        /* Read variable name */
-
-       len = strn_len(&user_buffer[i], sizeof(name) - 1);
+       max = min(sizeof(name) - 1, count - i);
+       len = strn_len(&user_buffer[i], max);
        if (len < 0)
                return len;
 
@@ -1929,7 +1929,8 @@ static ssize_t pktgen_thread_write(struct file *file,
        if (!strcmp(name, "add_device")) {
                char f[32];
                memset(f, 0, 32);
-               len = strn_len(&user_buffer[i], sizeof(f) - 1);
+               max = min(sizeof(f) - 1, count - i);
+               len = strn_len(&user_buffer[i], max);
                if (len < 0) {
                        ret = len;
                        goto out;