diff mbox series

can: ucan: the memory allocated to ctl_msg_buffer is one byte less

Message ID 20250327064319.3001956-1-lizhi.xu@windriver.com (mailing list archive)
State New
Headers show
Series can: ucan: the memory allocated to ctl_msg_buffer is one byte less | expand

Commit Message

Lizhi Xu March 27, 2025, 6:43 a.m. UTC 
When executing strscpy to copy data from ctl_msg_buffer->raw to firmware_str,
the length of the raw is sizeof(union ucan_ctl_payload) + 1, which is larger
than the one byte allocated to ctl_msg_buffer.

Fixes: 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()")
Reported-by: syzbot+79340d79a8ed013a2313@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=79340d79a8ed013a2313
Tested-by: syzbot+79340d79a8ed013a2313@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
 drivers/net/can/usb/ucan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c
index 39a63b7313a4..97c6cfa2d011 100644
--- a/drivers/net/can/usb/ucan.c
+++ b/drivers/net/can/usb/ucan.c
@@ -1399,7 +1399,7 @@  static int ucan_probe(struct usb_interface *intf,
 
 	/* Prepare Memory for control transfers */
 	ctl_msg_buffer = devm_kzalloc(&udev->dev,
-				      sizeof(union ucan_ctl_payload),
+				      sizeof(union ucan_ctl_payload) + 1,
 				      GFP_KERNEL);
 	if (!ctl_msg_buffer) {
 		dev_err(&udev->dev,