diff mbox series

[2/2] ALSA: control - off by one in store_mode()

Message ID YGcDOtrimR46vr0k@mwanda (mailing list archive)
State New
Headers show
Series [1/2] ALSA: control - fix a leak in snd_ctl_led_init() | expand

Commit Message

Dan Carpenter April 2, 2021, 11:42 a.m. UTC
If count is 16 then this will put the NUL terminator one element beyond
the end of the array.

Fixes: cb17fe0045aa ("ALSA: control - add sysfs support to the LED trigger module")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 sound/core/control_led.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jaroslav Kysela April 2, 2021, 5:52 p.m. UTC | #1
Dne 02. 04. 21 v 13:42 Dan Carpenter napsal(a):
> If count is 16 then this will put the NUL terminator one element beyond
> the end of the array.
> 
> Fixes: cb17fe0045aa ("ALSA: control - add sysfs support to the LED trigger module")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

No idea why I added + 1... Thanks for your correction.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>

> ---
>  sound/core/control_led.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/sound/core/control_led.c b/sound/core/control_led.c
> index 202b475d0bf3..ab5a455723c8 100644
> --- a/sound/core/control_led.c
> +++ b/sound/core/control_led.c
> @@ -391,7 +391,7 @@ static ssize_t store_mode(struct device *dev, struct device_attribute *attr,
>  {
>  	struct snd_ctl_led *led = container_of(dev, struct snd_ctl_led, dev);
>  	char _buf[16];
> -	size_t l = min(count, sizeof(_buf) - 1) + 1;
> +	size_t l = min(count, sizeof(_buf) - 1);
>  	enum snd_ctl_led_mode mode;
>  
>  	memcpy(_buf, buf, l);
>
Takashi Iwai April 6, 2021, 11:34 a.m. UTC | #2
On Fri, 02 Apr 2021 19:52:43 +0200,
Jaroslav Kysela wrote:
> 
> Dne 02. 04. 21 v 13:42 Dan Carpenter napsal(a):
> > If count is 16 then this will put the NUL terminator one element beyond
> > the end of the array.
> > 
> > Fixes: cb17fe0045aa ("ALSA: control - add sysfs support to the LED trigger module")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> No idea why I added + 1... Thanks for your correction.
> 
> Reviewed-by: Jaroslav Kysela <perex@perex.cz>

Applied now.  Thanks.


Takashi
diff mbox series

Patch

diff --git a/sound/core/control_led.c b/sound/core/control_led.c
index 202b475d0bf3..ab5a455723c8 100644
--- a/sound/core/control_led.c
+++ b/sound/core/control_led.c
@@ -391,7 +391,7 @@  static ssize_t store_mode(struct device *dev, struct device_attribute *attr,
 {
 	struct snd_ctl_led *led = container_of(dev, struct snd_ctl_led, dev);
 	char _buf[16];
-	size_t l = min(count, sizeof(_buf) - 1) + 1;
+	size_t l = min(count, sizeof(_buf) - 1);
 	enum snd_ctl_led_mode mode;
 
 	memcpy(_buf, buf, l);