strlcpy() reads the entire source buffer first. This read may exceed the destination size limit. This is both inefficient and can lead to linear read overflows if a source string is not NUL-terminated[1]. Additionally, it returns the size of the source string, not the resulting size of the destination string. In an effort to remove strlcpy() completely[2], replace strlcpy() here with strscpy(). In the unlikely (impossible?) case where opts->id was larger than PAGE_SIZE, this will now correctly report truncation errors. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy [1] Link: https://github.com/KSPP/linux/issues/89 [2] Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Cc: Will McVicker <willmcvicker@xxxxxxxxxx> Cc: "Gustavo A. R. Silva" <gustavoars@xxxxxxxxxx> Cc: Peter Chen <peter.chen@xxxxxxx> Cc: Davidlohr Bueso <dave@xxxxxxxxxxxx> Cc: Zhang Qilong <zhangqilong3@xxxxxxxxxx> Cc: Linyu Yuan <quic_linyyuan@xxxxxxxxxxx> Cc: John Keeping <john@xxxxxxxxxxxxx> Cc: Azeem Shaikh <azeemshaikh38@xxxxxxxxx> Cc: linux-usb@xxxxxxxxxxxxxxx Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> --- drivers/usb/gadget/function/f_midi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c index 5335845d697b..20c6fbd94f32 100644 --- a/drivers/usb/gadget/function/f_midi.c +++ b/drivers/usb/gadget/function/f_midi.c @@ -1177,11 +1177,11 @@ F_MIDI_OPT(out_ports, true, MAX_PORTS); static ssize_t f_midi_opts_id_show(struct config_item *item, char *page) { struct f_midi_opts *opts = to_f_midi_opts(item); - int result; + ssize_t result; mutex_lock(&opts->lock); if (opts->id) { - result = strlcpy(page, opts->id, PAGE_SIZE); + result = strscpy(page, opts->id, PAGE_SIZE); } else { page[0] = 0; result = 0; -- 2.34.1
