bus: moxtet: fix potential stack buffer overflow

The input_read function declares the size of the hex array relative to sizeof(buf), but buf is a pointer argument of the function. The hex array is meant to contain hexadecimal representation of the bin array. Link: https://lore.kernel.org/r/20200215142130.22743-1-marek.behun@nic.cz Fixes: 5bc7f990 ("bus: Add support for Moxtet bus") Signed-off-by: Marek Behún <marek.behun@nic.cz> Reported-by: sohu0106 <sohu0106@126.com> Signed-off-by: Olof Johansson <olof@lixom.net>

bus: moxtet: fix potential stack buffer overflow
The input_read function declares the size of the hex array relative to sizeof(buf), but buf is a pointer argument of the function. The hex array is meant to contain hexadecimal representation of the bin array. Link: https://lore.kernel.org/r/20200215142130.22743-1-marek.behun@nic.cz Fixes: 5bc7f990 ("bus: Add support for Moxtet bus") Signed-off-by: Marek Behún <marek.behun@nic.cz> Reported-by: sohu0106 <sohu0106@126.com> Signed-off-by: Olof Johansson <olof@lixom.net>
3bf3c974 · Marek Behún · Olof Johansson · bab8f1ff · 3bf3c974
Commit 3bf3c974 authored Feb 15, 2020 by Marek Behún Committed by Olof Johansson Feb 15, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/bus/moxtet.c drivers/bus/moxtet.c +1 -1

No files found.
--- a/drivers/bus/moxtet.c
+++ b/drivers/bus/moxtet.c
@@ -465,7 +465,7 @@ static ssize_t input_read(struct file *file, char __user *buf, size_t len,
 {
 	struct moxtet *moxtet = file->private_data;
 	u8 bin[TURRIS_MOX_MAX_MODULES];
-	u8 hex[sizeof(buf) * 2 + 1];
+	u8 hex[sizeof(bin) * 2 + 1];
 	int ret, n;

 	ret = moxtet_spi_read(moxtet, bin);