[PATCH 05/10] gpio: mockup: improve the debugfs input sanitization

[Bartosz Golaszewski <brgl@xxxxxxxx>]

We're currently only checking the first character of the input to the
debugfs event files, so a string like '0sdfdsf' is valid and indicates
a falling edge event.

Be more strict and only allow '0', '1', '0\n' & '1\n'.

Signed-off-by: Bartosz Golaszewski <brgl@xxxxxxxx>
---
 drivers/gpio/gpio-mockup.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/gpio/gpio-mockup.c b/drivers/gpio/gpio-mockup.c
index ba8d62a..b197b93 100644
--- a/drivers/gpio/gpio-mockup.c
+++ b/drivers/gpio/gpio-mockup.c
@@ -208,8 +208,8 @@ static ssize_t gpio_mockup_event_write(struct file *file,
 	struct seq_file *sfile;
 	struct gpio_desc *desc;
 	struct gpio_chip *gc;
+	char buf[2];
 	int val;
-	char buf;
 
 	sfile = file->private_data;
 	priv = sfile->private;
@@ -220,12 +220,18 @@ static ssize_t gpio_mockup_event_write(struct file *file,
 	if (!chip->lines[priv->offset].irq_enabled)
 		return size;
 
-	if (copy_from_user(&buf, usr_buf, 1))
+	if (size > 2)
+		return -EINVAL;
+
+	if (copy_from_user(&buf, usr_buf, 2))
 		return -EFAULT;
 
-	if (buf == '0')
+	if (size == 2 && buf[1] != '\n')
+		return -EINVAL;
+
+	if (buf[0] == '0')
 		val = 0;
-	else if (buf == '1')
+	else if (buf[0] == '1')
 		val = 1;
 	else
 		return -EINVAL;
-- 
2.9.3

--
To unsubscribe from this list: send the line "unsubscribe linux-gpio" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html