On Sat, May 27, 2023 at 6:51 PM Hans de Goede <hdegoede@xxxxxxxxxx> wrote: > > Not all functions used in gmin_get_var_int() update len to the actual > length of the returned string. So len may still have its initial value > of the length of val[] when "val[len] = 0;" is run to ensure 0 termination. > > If this happens we end up writing one beyond the bounds of val[], fix this. > > Note this is a quick fix for this since the entirety of > atomisp_gmin_platform.c will be removed once all atomisp sensor > drivers have been moved over to runtime-pm + v4l2-async device > registration. ... > Closes: https://lore.kernel.org/linux-media/26f37e19-c240-4d77-831d-ef3f1a4dd51d@kili.mountain/ Is this a new official tag? (Just to my surprise) ... > - char val[CFG_VAR_NAME_MAX]; > - size_t len = sizeof(val); > + char val[CFG_VAR_NAME_MAX + 1]; > + size_t len = CFG_VAR_NAME_MAX; Why not sizeof() - 1? At least it will be a single point when change can be made and not breaking again in a similar way the code. > long result; > int ret; -- With Best Regards, Andy Shevchenko
