platform/x86: hp-bioscfg: prevent a small buffer overflow

This function escapes certain special characters like \n.  So if the
last character in the string is a '\n' then it gets changed into two
characters '\' and '\n'.  But maybe we only have space for the '\' so
we need to check for that.

The "conv_dst_size" variable is always less than or to equal the "size"
variable.  It's easier to just check "conv_dst_size" instead of checking
both.

Fixes: a34fc329b189 ("platform/x86: hp-bioscfg: bioscfg")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/b4950310-e65f-412f-8d2b-90bb074a6572@moroto.mountain
Reviewed-by: Jorge Lopez <jorge.lopez2@hp.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>

diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
index b0a9464..32d9c36 100644 (file)
--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
@@ -94,12 +94,15 @@ int hp_get_string_from_buffer(u8 **buffer, u32 *buffer_size, char *dst, u32 dst_
        utf16s_to_utf8s(src, src_size, UTF16_HOST_ENDIAN, dst, conv_dst_size);
        dst[conv_dst_size] = 0;
 
-       for (i = 0; i < size && i < conv_dst_size; i++) {
+       for (i = 0; i < conv_dst_size; i++) {
                if (*src == '\\' ||
                    *src == '\r' ||
                    *src == '\n' ||
-                   *src == '\t')
+                   *src == '\t') {
                        dst[i++] = '\\';
+                       if (i == conv_dst_size)
+                               break;
+               }
 
                if (*src == '\r')
                        dst[i] = 'r';