| Message ID | b4950310-e65f-412f-8d2b-90bb074a6572@moroto.mountain (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | platform/x86: hp-bioscfg: prevent a small buffer overflow | expand |
Reviewed-by: Jorge Lopez <jorge.lopez2@hp.com> Regards, Jorge Lopez HP Inc "Once you stop learning, you start dying" Albert Einstein > -----Original Message----- > From: Dan Carpenter <dan.carpenter@linaro.org> > Sent: Tuesday, July 18, 2023 2:06 AM > To: Lopez, Jorge A (Security) <jorge.lopez2@hp.com> > Cc: Hans de Goede <hdegoede@redhat.com>; Mark Gross > <markgross@kernel.org>; Thomas Weißschuh <linux@weissschuh.net>; > platform-driver-x86@vger.kernel.org; kernel-janitors@vger.kernel.org > Subject: [PATCH] platform/x86: hp-bioscfg: prevent a small buffer overflow > > CAUTION: External Email > > This function escapes certain special characters like \n. So if the last > character in the string is a '\n' then it gets changed into two characters '\' > and '\n'. But maybe we only have space for the '\' so we need to check for > that. > > The "conv_dst_size" variable is always less than or to equal the "size" > variable. It's easier to just check "conv_dst_size" instead of checking both. > > Fixes: a34fc329b189 ("platform/x86: hp-bioscfg: bioscfg") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > --- > drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c > b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c > index b0a94640ff6f..32d9c36ca553 100644 > --- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c > +++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c > @@ -94,12 +94,15 @@ int hp_get_string_from_buffer(u8 **buffer, u32 > *buffer_size, char *dst, u32 dst_ > utf16s_to_utf8s(src, src_size, UTF16_HOST_ENDIAN, dst, conv_dst_size); > dst[conv_dst_size] = 0; > > - for (i = 0; i < size && i < conv_dst_size; i++) { > + for (i = 0; i < conv_dst_size; i++) { > if (*src == '\\' || > *src == '\r' || > *src == '\n' || > - *src == '\t') > + *src == '\t') { > dst[i++] = '\\'; > + if (i == conv_dst_size) > + break; > + } > > if (*src == '\r') > dst[i] = 'r'; > -- > 2.39.2
diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c index b0a94640ff6f..32d9c36ca553 100644 --- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c +++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c @@ -94,12 +94,15 @@ int hp_get_string_from_buffer(u8 **buffer, u32 *buffer_size, char *dst, u32 dst_ utf16s_to_utf8s(src, src_size, UTF16_HOST_ENDIAN, dst, conv_dst_size); dst[conv_dst_size] = 0; - for (i = 0; i < size && i < conv_dst_size; i++) { + for (i = 0; i < conv_dst_size; i++) { if (*src == '\\' || *src == '\r' || *src == '\n' || - *src == '\t') + *src == '\t') { dst[i++] = '\\'; + if (i == conv_dst_size) + break; + } if (*src == '\r') dst[i] = 'r';
This function escapes certain special characters like \n. So if the last character in the string is a '\n' then it gets changed into two characters '\' and '\n'. But maybe we only have space for the '\' so we need to check for that. The "conv_dst_size" variable is always less than or to equal the "size" variable. It's easier to just check "conv_dst_size" instead of checking both. Fixes: a34fc329b189 ("platform/x86: hp-bioscfg: bioscfg") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)