On Tue, 2018-02-20 at 22:00 -0800, Kees Cook wrote:
> It seems that in at least one case[1], nla_put_string() is being used
> on an NLA_STRING, which lacks a NULL terminator, which leads to
> silliness when nla_put_string() uses strlen() to figure out the size:
Fun! I'm not a big fan of the whole
From: Kees Cook
Date: Tue, 20 Feb 2018 22:00:26 -0800
> So, this specific problem needs fixing (in at least two places calling
> nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, ...)). While I suspect
> it's only ever written an extra byte from the following variable in
> the structure which is an en
