bus: moxtet: fix potential stack buffer overflow
authorMarek Behún <marek.behun@nic.cz>
Sat, 15 Feb 2020 14:21:30 +0000 (15:21 +0100)
committerOlof Johansson <olof@lixom.net>
Sat, 15 Feb 2020 18:33:19 +0000 (10:33 -0800)
The input_read function declares the size of the hex array relative to
sizeof(buf), but buf is a pointer argument of the function. The hex
array is meant to contain hexadecimal representation of the bin array.

Link: https://lore.kernel.org/r/20200215142130.22743-1-marek.behun@nic.cz
Fixes: 5bc7f990cd98 ("bus: Add support for Moxtet bus")
Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reported-by: sohu0106 <sohu0106@126.com>
Signed-off-by: Olof Johansson <olof@lixom.net>
drivers/bus/moxtet.c

index 15fa293819a03124355d6163b7b393de75f553f8..b20fdcbd035b21cd4625ea5b401fe4cf9181c70b 100644 (file)
@@ -465,7 +465,7 @@ static ssize_t input_read(struct file *file, char __user *buf, size_t len,
 {
        struct moxtet *moxtet = file->private_data;
        u8 bin[TURRIS_MOX_MAX_MODULES];
-       u8 hex[sizeof(buf) * 2 + 1];
+       u8 hex[sizeof(bin) * 2 + 1];
        int ret, n;
 
        ret = moxtet_spi_read(moxtet, bin);