[PATCH] spi: spidev_test: Fix buffer overflow in unescape()
From: Geert Uytterhoeven
Date: Thu Sep 08 2016 - 14:06:35 EST
Sometimes spidev_test crashes with:
*** Error in `spidev_test': munmap_chunk(): invalid pointer: 0x00022020 ***
Aborted
or just
Segmentation fault
This is due to transfer_escaped_string() miscalculating the required
size of the buffer by two bytes, causing a buffer overflow in unescape().
Move the misplaced closing parenthesis to fix this.
Signed-off-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
Fixes: 30061915be6e3a2c ("spi: spidev_test: Added input buffer from the terminal")
Cc: <stable@xxxxxxxxxxxxxxx> # v4.5+
---
The bug is present in all kernels since v4.1, but in v4.5 the code was
changed, and the source file was moved.
The fix for older kernels is straight-forward, there's only a single
strlen() call in Documentation/spi/spidev_test.c:
- size = strlen(input_tx+1);
+ size = strlen(input_tx)+1;
If you want, I can send a patch against v4.4 (for v4.1..v4.4) later.
---
tools/spi/spidev_test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/spi/spidev_test.c b/tools/spi/spidev_test.c
index 1eaa4de6605bd935..ffa9908f7eb6670e 100644
--- a/tools/spi/spidev_test.c
+++ b/tools/spi/spidev_test.c
@@ -285,7 +285,7 @@ static void parse_opts(int argc, char *argv[])
static void transfer_escaped_string(int fd, char *str)
{
- size_t size = strlen(str + 1);
+ size_t size = strlen(str) + 1;
uint8_t *tx;
uint8_t *rx;
--
1.9.1