* [PATCH] media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var()
@ 2023-05-26 11:53 Dan Carpenter
2023-05-27 15:48 ` Hans de Goede
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2023-05-26 11:53 UTC (permalink / raw)
To: Mauro Carvalho Chehab, Hans de Goede
Cc: Mauro Carvalho Chehab, Sakari Ailus, Greg Kroah-Hartman,
Andy Shevchenko, Ard Biesheuvel, linux-media, linux-staging,
kernel-janitors
Ideally, strlen(cur->string.pointer) and strlen(out) would be the same.
But this code is using strscpy() to avoid a potential buffer overflow.
So in the same way we should take the strlen() of the smaller string to
avoid a buffer overflow in the caller, gmin_get_var_int().
Fixes: 387041cda44e ("media: atomisp: improve sensor detection code to use _DSM table")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
index c718a74ea70a..88d4499233b9 100644
--- a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
@@ -1357,7 +1357,7 @@ static int gmin_get_config_dsm_var(struct device *dev,
dev_info(dev, "found _DSM entry for '%s': %s\n", var,
cur->string.pointer);
strscpy(out, cur->string.pointer, *out_len);
- *out_len = strlen(cur->string.pointer);
+ *out_len = strlen(out);
ACPI_FREE(obj);
return 0;
--
2.39.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var()
2023-05-26 11:53 [PATCH] media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var() Dan Carpenter
@ 2023-05-27 15:48 ` Hans de Goede
0 siblings, 0 replies; 2+ messages in thread
From: Hans de Goede @ 2023-05-27 15:48 UTC (permalink / raw)
To: Dan Carpenter, Mauro Carvalho Chehab
Cc: Mauro Carvalho Chehab, Sakari Ailus, Greg Kroah-Hartman,
Andy Shevchenko, Ard Biesheuvel, linux-media, linux-staging,
kernel-janitors
Hi,
On 5/26/23 13:53, Dan Carpenter wrote:
> Ideally, strlen(cur->string.pointer) and strlen(out) would be the same.
> But this code is using strscpy() to avoid a potential buffer overflow.
> So in the same way we should take the strlen() of the smaller string to
> avoid a buffer overflow in the caller, gmin_get_var_int().
>
> Fixes: 387041cda44e ("media: atomisp: improve sensor detection code to use _DSM table")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Thank you I have applied this to my media-atomisp branch:
https://git.kernel.org/pub/scm/linux/kernel/git/hansg/linux.git/log/?h=media-atomisp
And this will be included in my next pull-req to Mauro
for merging this into the linux-media tree.
Regards,
Hans
> ---
> drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
> index c718a74ea70a..88d4499233b9 100644
> --- a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
> +++ b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
> @@ -1357,7 +1357,7 @@ static int gmin_get_config_dsm_var(struct device *dev,
> dev_info(dev, "found _DSM entry for '%s': %s\n", var,
> cur->string.pointer);
> strscpy(out, cur->string.pointer, *out_len);
> - *out_len = strlen(cur->string.pointer);
> + *out_len = strlen(out);
>
> ACPI_FREE(obj);
> return 0;
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-05-27 15:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-26 11:53 [PATCH] media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var() Dan Carpenter
2023-05-27 15:48 ` Hans de Goede
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).