| Message ID | 26124bcd-8132-4483-9d67-225c87d424e8@kili.mountain (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var() | expand |
Hi, On 5/26/23 13:53, Dan Carpenter wrote: > Ideally, strlen(cur->string.pointer) and strlen(out) would be the same. > But this code is using strscpy() to avoid a potential buffer overflow. > So in the same way we should take the strlen() of the smaller string to > avoid a buffer overflow in the caller, gmin_get_var_int(). > > Fixes: 387041cda44e ("media: atomisp: improve sensor detection code to use _DSM table") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Thank you I have applied this to my media-atomisp branch: https://git.kernel.org/pub/scm/linux/kernel/git/hansg/linux.git/log/?h=media-atomisp And this will be included in my next pull-req to Mauro for merging this into the linux-media tree. Regards, Hans > --- > drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c > index c718a74ea70a..88d4499233b9 100644 > --- a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c > +++ b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c > @@ -1357,7 +1357,7 @@ static int gmin_get_config_dsm_var(struct device *dev, > dev_info(dev, "found _DSM entry for '%s': %s\n", var, > cur->string.pointer); > strscpy(out, cur->string.pointer, *out_len); > - *out_len = strlen(cur->string.pointer); > + *out_len = strlen(out); > > ACPI_FREE(obj); > return 0;
diff --git a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c index c718a74ea70a..88d4499233b9 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c +++ b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c @@ -1357,7 +1357,7 @@ static int gmin_get_config_dsm_var(struct device *dev, dev_info(dev, "found _DSM entry for '%s': %s\n", var, cur->string.pointer); strscpy(out, cur->string.pointer, *out_len); - *out_len = strlen(cur->string.pointer); + *out_len = strlen(out); ACPI_FREE(obj); return 0;
Ideally, strlen(cur->string.pointer) and strlen(out) would be the same. But this code is using strscpy() to avoid a potential buffer overflow. So in the same way we should take the strlen() of the smaller string to avoid a buffer overflow in the caller, gmin_get_var_int(). Fixes: 387041cda44e ("media: atomisp: improve sensor detection code to use _DSM table") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)