From 7546c489a95a033c78331915fcdfa0e6fd74d563 Mon Sep 17 00:00:00 2001 From: Ouden Date: Wed, 18 Mar 2020 17:58:37 +0800 Subject: [PATCH] nl80211: Fix RTM NEW/DELLINK IFLA_IFNAME copy for maximum ifname length If the kernel rtm_newlink or rtm_dellink send the maximum length of ifname (IFNAMSIZ), the event handlers in wpa_driver_nl80211_event_rtm_addlink() and wpa_driver_nl80211_event_rtm_dellink() did not copy the IFLA_IFNAME value. Because the RTA_PAYLOAD (IFLA_IFNAME) length already includes the NULL termination, that equals the IFNAMSIZ. Fix the condition when IFNAME reach maximum size. Signed-off-by: Ouden --- src/drivers/driver_nl80211.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index efcd69ad2..c071cc0e0 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -1047,7 +1047,7 @@ static void wpa_driver_nl80211_event_rtm_newlink(void *ctx, while (RTA_OK(attr, attrlen)) { switch (attr->rta_type) { case IFLA_IFNAME: - if (RTA_PAYLOAD(attr) >= IFNAMSIZ) + if (RTA_PAYLOAD(attr) > IFNAMSIZ) break; os_memcpy(ifname, RTA_DATA(attr), RTA_PAYLOAD(attr)); ifname[RTA_PAYLOAD(attr)] = '\0'; @@ -1222,7 +1222,7 @@ static void wpa_driver_nl80211_event_rtm_dellink(void *ctx, while (RTA_OK(attr, attrlen)) { switch (attr->rta_type) { case IFLA_IFNAME: - if (RTA_PAYLOAD(attr) >= IFNAMSIZ) + if (RTA_PAYLOAD(attr) > IFNAMSIZ) break; os_memcpy(ifname, RTA_DATA(attr), RTA_PAYLOAD(attr)); ifname[RTA_PAYLOAD(attr)] = '\0';