RE: [PATCH] platform/x86: hp-bioscfg: prevent a small buffer overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reviewed-by: Jorge Lopez <jorge.lopez2@xxxxxx>


Regards,

Jorge Lopez
HP Inc

"Once you stop learning, you start dying"
Albert Einstein

> -----Original Message-----
> From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Sent: Tuesday, July 18, 2023 2:06 AM
> To: Lopez, Jorge A (Security) <jorge.lopez2@xxxxxx>
> Cc: Hans de Goede <hdegoede@xxxxxxxxxx>; Mark Gross
> <markgross@xxxxxxxxxx>; Thomas Weißschuh <linux@xxxxxxxxxxxxxx>;
> platform-driver-x86@xxxxxxxxxxxxxxx; kernel-janitors@xxxxxxxxxxxxxxx
> Subject: [PATCH] platform/x86: hp-bioscfg: prevent a small buffer overflow
> 
> CAUTION: External Email
> 
> This function escapes certain special characters like \n.  So if the last
> character in the string is a '\n' then it gets changed into two characters '\'
> and '\n'.  But maybe we only have space for the '\' so we need to check for
> that.
> 
> The "conv_dst_size" variable is always less than or to equal the "size"
> variable.  It's easier to just check "conv_dst_size" instead of checking both.
> 
> Fixes: a34fc329b189 ("platform/x86: hp-bioscfg: bioscfg")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
>  drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
> b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
> index b0a94640ff6f..32d9c36ca553 100644
> --- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
> +++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
> @@ -94,12 +94,15 @@ int hp_get_string_from_buffer(u8 **buffer, u32
> *buffer_size, char *dst, u32 dst_
>         utf16s_to_utf8s(src, src_size, UTF16_HOST_ENDIAN, dst, conv_dst_size);
>         dst[conv_dst_size] = 0;
> 
> -       for (i = 0; i < size && i < conv_dst_size; i++) {
> +       for (i = 0; i < conv_dst_size; i++) {
>                 if (*src == '\\' ||
>                     *src == '\r' ||
>                     *src == '\n' ||
> -                   *src == '\t')
> +                   *src == '\t') {
>                         dst[i++] = '\\';
> +                       if (i == conv_dst_size)
> +                               break;
> +               }
> 
>                 if (*src == '\r')
>                         dst[i] = 'r';
> --
> 2.39.2





[Index of Archives]     [Linux Kernel Development]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux