Re: [PATCH net] netconsole: avoid out-of-bounds access on empty string in trim_newline()

Next message: Jani Nikula: "Re: [PATCH v2 00/28] drm: Implement state readout support"
Previous message: Ratheesh Kannoth: "[PATCH v3 net 11/11] octeontx2-af: npc: cn20k: Reject missing default-rule MCAM indices"
In reply to: Breno Leitao: "Re: [PATCH net] netconsole: avoid out-of-bounds access on empty string in trim_newline()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Thu Apr 23 2026 - 06:55:24 EST

Hello:

This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@xxxxxxxxxx>:

On Mon, 20 Apr 2026 03:18:36 -0700 you wrote:
> trim_newline() unconditionally dereferences s[len - 1] after computing
> len = strnlen(s, maxlen). When the string is empty, len is 0 and the
> expression underflows to s[(size_t)-1], reading (and potentially
> writing) one byte before the buffer.
>
> The two callers feed trim_newline() with the result of strscpy() from
> configfs store callbacks (dev_name_store, userdatum_value_store).
> configfs guarantees count >= 1 reaches the callback, but the byte
> itself can be NUL: a userspace write(fd, "\0", 1) leaves the
> destination empty after strscpy() and triggers the underflow. The OOB
> write only fires if the adjacent byte happens to be '\n', so this is
> not a security issue, but the access is undefined behaviour either way.
>
> [...]

Here is the summary with links:
- [net] netconsole: avoid out-of-bounds access on empty string in trim_newline()
https://git.kernel.org/netdev/net/c/7079c8c13f2d

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html