netconsole: propagate device name truncation in dev_name_store()

dev_name_store() calls strscpy(nt->np.dev_name, buf, IFNAMSIZ) without
checking the return value. If userspace writes an interface name longer
than IFNAMSIZ - 1, strscpy() silently truncates and returns -E2BIG, but
the function ignores it and reports a fully successful write back to
userspace.

If a real interface happens to match the truncated name, netconsole will
bind to the wrong device on the next enable, sending kernel logs and
panic output to an unintended network segment with no indication to
userspace that anything was rewritten.

Reject writes whose length cannot fit in nt->np.dev_name up front:

	if (count >= IFNAMSIZ)
		return -ENAMETOOLONG;

This is not a big deal of a problem, but, it is still the correct
approach.

Fixes: 0bcc1816188e57 ("[NET] netconsole: Support dynamic reconfiguration using configfs")
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260427-netconsole_ai_fixes-v2-3-59965f29d9cc@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c
index 595e09bd1ccfcfb955cca5307c243e74bd65aeaf..b3b36e3ddd03db80c913c6538dccaa283d57bf88 100644 (file)
--- a/drivers/net/netconsole.c
+++ b/drivers/net/netconsole.c
@@ -817,6 +817,13 @@ static ssize_t dev_name_store(struct config_item *item, const char *buf,
                size_t count)
 {
        struct netconsole_target *nt = to_target(item);
+       size_t len = count;
+
+       /* Account for a trailing newline appended by tools like echo */
+       if (len && buf[len - 1] == '\n')
+               len--;
+       if (len >= IFNAMSIZ)
+               return -ENAMETOOLONG;
 
        dynamic_netconsole_mutex_lock();
        if (nt->state == STATE_ENABLED) {