The use of strncpy() in the set_led_id() was incorrect. The len variable should use 'min(sizeof(buf2) - 1, count)' expression.
Use strscpy() function to simplify things and handle the error gracefully.
Reported-by: yang.yang29@zte.com.cn BugLink: https://lore.kernel.org/alsa-devel/202301091945513559977@zte.com.cn/ Cc: stable@vger.kernel.org Signed-off-by: Jaroslav Kysela perex@perex.cz --- sound/core/control_led.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/sound/core/control_led.c b/sound/core/control_led.c index f975cc85772b..45c8eb5700c1 100644 --- a/sound/core/control_led.c +++ b/sound/core/control_led.c @@ -530,12 +530,11 @@ static ssize_t set_led_id(struct snd_ctl_led_card *led_card, const char *buf, si bool attach) { char buf2[256], *s, *os; - size_t len = max(sizeof(s) - 1, count); struct snd_ctl_elem_id id; int err;
- strncpy(buf2, buf, len); - buf2[len] = '\0'; + if (strscpy(buf2, buf, min(sizeof(buf2), count)) < 0) + return -E2BIG; memset(&id, 0, sizeof(id)); id.iface = SNDRV_CTL_ELEM_IFACE_MIXER; s = buf2;
On 09. 01. 23 14:47, Jaroslav Kysela wrote:
The use of strncpy() in the set_led_id() was incorrect. The len variable should use 'min(sizeof(buf2) - 1, count)' expression.
Use strscpy() function to simplify things and handle the error gracefully.
Reported-by: yang.yang29@zte.com.cn BugLink: https://lore.kernel.org/alsa-devel/202301091945513559977@zte.com.cn/ Cc: stable@vger.kernel.org Signed-off-by: Jaroslav Kysela perex@perex.cz
sound/core/control_led.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/sound/core/control_led.c b/sound/core/control_led.c index f975cc85772b..45c8eb5700c1 100644 --- a/sound/core/control_led.c +++ b/sound/core/control_led.c @@ -530,12 +530,11 @@ static ssize_t set_led_id(struct snd_ctl_led_card *led_card, const char *buf, si bool attach) { char buf2[256], *s, *os;
- size_t len = max(sizeof(s) - 1, count); struct snd_ctl_elem_id id; int err;
- strncpy(buf2, buf, len);
- buf2[len] = '\0';
- if (strscpy(buf2, buf, min(sizeof(buf2), count)) < 0)
Please, don't use this version of path (see v2). This min() expression will strip the last char and buf is '\0' terminated.
v2: https://lore.kernel.org/alsa-devel/20230109150119.342771-1-perex@perex.cz/
Jaroslav
linux-stable-mirror@lists.linaro.org