diff mbox series

media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var()

Message ID 26124bcd-8132-4483-9d67-225c87d424e8@kili.mountain (mailing list archive)
State New, archived
Headers show
Series media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var() | expand

Commit Message

Dan Carpenter May 26, 2023, 11:53 a.m. UTC
Ideally, strlen(cur->string.pointer) and strlen(out) would be the same.
But this code is using strscpy() to avoid a potential buffer overflow.
So in the same way we should take the strlen() of the smaller string to
avoid a buffer overflow in the caller, gmin_get_var_int().

Fixes: 387041cda44e ("media: atomisp: improve sensor detection code to use _DSM table")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Hans de Goede May 27, 2023, 3:48 p.m. UTC | #1
Hi,

On 5/26/23 13:53, Dan Carpenter wrote:
> Ideally, strlen(cur->string.pointer) and strlen(out) would be the same.
> But this code is using strscpy() to avoid a potential buffer overflow.
> So in the same way we should take the strlen() of the smaller string to
> avoid a buffer overflow in the caller, gmin_get_var_int().
> 
> Fixes: 387041cda44e ("media: atomisp: improve sensor detection code to use _DSM table")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Thank you I have applied this to my media-atomisp branch:
https://git.kernel.org/pub/scm/linux/kernel/git/hansg/linux.git/log/?h=media-atomisp

And this will be included in my next pull-req to Mauro
for merging this into the linux-media tree.

Regards,

Hans




> ---
>  drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
> index c718a74ea70a..88d4499233b9 100644
> --- a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
> +++ b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
> @@ -1357,7 +1357,7 @@ static int gmin_get_config_dsm_var(struct device *dev,
>  	dev_info(dev, "found _DSM entry for '%s': %s\n", var,
>  		 cur->string.pointer);
>  	strscpy(out, cur->string.pointer, *out_len);
> -	*out_len = strlen(cur->string.pointer);
> +	*out_len = strlen(out);
>  
>  	ACPI_FREE(obj);
>  	return 0;
diff mbox series

Patch

diff --git a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
index c718a74ea70a..88d4499233b9 100644
--- a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
@@ -1357,7 +1357,7 @@  static int gmin_get_config_dsm_var(struct device *dev,
 	dev_info(dev, "found _DSM entry for '%s': %s\n", var,
 		 cur->string.pointer);
 	strscpy(out, cur->string.pointer, *out_len);
-	*out_len = strlen(cur->string.pointer);
+	*out_len = strlen(out);
 
 	ACPI_FREE(obj);
 	return 0;