ALSA: control - off by one in store_mode()

If count is 16 then this will put the NUL terminator one element beyond
the end of the array.

Fixes: cb17fe0045aa ("ALSA: control - add sysfs support to the LED trigger module")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/YGcDOtrimR46vr0k@mwanda
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/core/control_led.c b/sound/core/control_led.c
index 788fd9e275e00a5191b68f3a69c85c7165aa5db6..d756a52e58db7aeb05fc97bc37659273a72d2561 100644 (file)
--- a/sound/core/control_led.c
+++ b/sound/core/control_led.c
@@ -391,7 +391,7 @@ static ssize_t store_mode(struct device *dev, struct device_attribute *attr,
 {
        struct snd_ctl_led *led = container_of(dev, struct snd_ctl_led, dev);
        char _buf[16];
-       size_t l = min(count, sizeof(_buf) - 1) + 1;
+       size_t l = min(count, sizeof(_buf) - 1);
        enum snd_ctl_led_mode mode;
 
        memcpy(_buf, buf, l);