Closed apconole closed 2 years ago
In theory a specially crafted buffer could be constructed which sets the length of the cmd->ifname too large. Such a buffer needs to be sent by root already, so the security implication isn't as pressing.
see: vsi.request = cmd->tlvid; strncpy(vsi.ifname, cmd->ifname, sizeof(vsi.ifname));
vsi.request = cmd->tlvid; strncpy(vsi.ifname, cmd->ifname, sizeof(vsi.ifname));
In theory a specially crafted buffer could be constructed which sets the length of the cmd->ifname too large. Such a buffer needs to be sent by root already, so the security implication isn't as pressing.
see:
vsi.request = cmd->tlvid; strncpy(vsi.ifname, cmd->ifname, sizeof(vsi.ifname));