From: Hans de Goede Date: Sat, 27 May 2023 15:38:12 +0000 (+0100) Subject: media: atomisp: Fix buffer overrun in gmin_get_var_int() X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=fadac6afccf7d8a4efa1e0ca89958f6716685333;p=linux.git media: atomisp: Fix buffer overrun in gmin_get_var_int() Not all functions used in gmin_get_var_int() update len to the actual length of the returned string. So len may still have its initial value of the length of val[] when "val[len] = 0;" is run to ensure 0 termination. If this happens we end up writing one beyond the bounds of val[], fix this. Note this is a quick fix for this since the entirety of atomisp_gmin_platform.c will be removed once all atomisp sensor drivers have been moved over to runtime-pm + v4l2-async device registration. Closes: https://lore.kernel.org/linux-media/26f37e19-c240-4d77-831d-ef3f1a4dd51d@kili.mountain/ Reported-by: Dan Carpenter Signed-off-by: Hans de Goede Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c index 93bfb3fadcf78..139ad7ad1dcf6 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c +++ b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c @@ -1429,8 +1429,8 @@ static int gmin_get_config_var(struct device *maindev, int gmin_get_var_int(struct device *dev, bool is_gmin, const char *var, int def) { - char val[CFG_VAR_NAME_MAX]; - size_t len = sizeof(val); + char val[CFG_VAR_NAME_MAX + 1]; + size_t len = CFG_VAR_NAME_MAX; long result; int ret;