Re: [PATCH] staging: fbtft: Fix buffer overflow vulnerability

From: Greg Kroah-Hartman
Date: Tue Feb 14 2017 - 20:03:19 EST


On Wed, Feb 15, 2017 at 11:42:54AM +1100, Tobin C. Harding wrote:
> Module copies a user supplied string (module parameter) into a buffer
> using strncpy() and does not check that the buffer is null terminated.
>
> Replace call to strncpy() with call to strlcpy() ensuring that the
> buffer is null terminated.
>
> Signed-off-by: Tobin C. Harding <me@xxxxxxxx>
> ---
> drivers/staging/fbtft/fbtft_device.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/fbtft/fbtft_device.c b/drivers/staging/fbtft/fbtft_device.c
> index de46f8d..7b7223b 100644
> --- a/drivers/staging/fbtft/fbtft_device.c
> +++ b/drivers/staging/fbtft/fbtft_device.c
> @@ -1483,7 +1483,7 @@ static int __init fbtft_device_init(void)
> displays[i].pdev->name = name;
> displays[i].spi = NULL;
> } else {
> - strncpy(displays[i].spi->modalias, name, SPI_NAME_SIZE);
> + strlcpy(displays[i].spi->modalias, name, SPI_NAME_SIZE);

Shouldn't we properly check the return value here to know if the buffer
did get truncated? Or do we really care?

thanks,

greg k-h