Re: [PATCH] staging: fbtft: Fix buffer overflow vulnerability

From: Greg Kroah-Hartman
Date: Tue Feb 14 2017 - 20:03:19 EST

Next message: Doug Ledford: "Re: linux-next: build failure after merge of the rdma tree"
Previous message: Wangnan (F): "Re: [PATCH net-next v1] bpf: Remove redundant ifdef"
In reply to: Tobin C. Harding: "[PATCH] staging: fbtft: Fix buffer overflow vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 15, 2017 at 11:42:54AM +1100, Tobin C. Harding wrote:
> Module copies a user supplied string (module parameter) into a buffer
> using strncpy() and does not check that the buffer is null terminated.
>
> Replace call to strncpy() with call to strlcpy() ensuring that the
> buffer is null terminated.
>
> Signed-off-by: Tobin C. Harding <me@xxxxxxxx>
> ---
> drivers/staging/fbtft/fbtft_device.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/fbtft/fbtft_device.c b/drivers/staging/fbtft/fbtft_device.c
> index de46f8d..7b7223b 100644
> --- a/drivers/staging/fbtft/fbtft_device.c
> +++ b/drivers/staging/fbtft/fbtft_device.c
> @@ -1483,7 +1483,7 @@ static int __init fbtft_device_init(void)
> displays[i].pdev->name = name;
> displays[i].spi = NULL;
> } else {
> - strncpy(displays[i].spi->modalias, name, SPI_NAME_SIZE);
> + strlcpy(displays[i].spi->modalias, name, SPI_NAME_SIZE);

Shouldn't we properly check the return value here to know if the buffer
did get truncated? Or do we really care?

thanks,

greg k-h

Next message: Doug Ledford: "Re: linux-next: build failure after merge of the rdma tree"
Previous message: Wangnan (F): "Re: [PATCH net-next v1] bpf: Remove redundant ifdef"
In reply to: Tobin C. Harding: "[PATCH] staging: fbtft: Fix buffer overflow vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]