| From 3bf3c9744694803bd2d6f0ee70a6369b980530fd Mon Sep 17 00:00:00 2001 |
| From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <marek.behun@nic.cz> |
| Date: Sat, 15 Feb 2020 15:21:30 +0100 |
| Subject: bus: moxtet: fix potential stack buffer overflow |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| From: Marek Behún <marek.behun@nic.cz> |
| |
| commit 3bf3c9744694803bd2d6f0ee70a6369b980530fd upstream. |
| |
| The input_read function declares the size of the hex array relative to |
| sizeof(buf), but buf is a pointer argument of the function. The hex |
| array is meant to contain hexadecimal representation of the bin array. |
| |
| Link: https://lore.kernel.org/r/20200215142130.22743-1-marek.behun@nic.cz |
| Fixes: 5bc7f990cd98 ("bus: Add support for Moxtet bus") |
| Signed-off-by: Marek Behún <marek.behun@nic.cz> |
| Reported-by: sohu0106 <sohu0106@126.com> |
| Signed-off-by: Olof Johansson <olof@lixom.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/bus/moxtet.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/bus/moxtet.c |
| +++ b/drivers/bus/moxtet.c |
| @@ -466,7 +466,7 @@ static ssize_t input_read(struct file *f |
| { |
| struct moxtet *moxtet = file->private_data; |
| u8 bin[TURRIS_MOX_MAX_MODULES]; |
| - u8 hex[sizeof(buf) * 2 + 1]; |
| + u8 hex[sizeof(bin) * 2 + 1]; |
| int ret, n; |
| |
| ret = moxtet_spi_read(moxtet, bin); |
