diff options
author | Mauro Carvalho Chehab <mchehab@s-opensource.com> | 2018-04-23 09:14:30 -0400 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab+samsung@kernel.org> | 2018-05-04 08:55:36 -0400 |
commit | 5ef76cb7c19acd5531806c8a1be4559e0c2d77d1 (patch) | |
tree | 9d679b7fc48833f5c0852f110eb47d4467d315bc /drivers/media/common/siano | |
parent | e1b7f11b37def5f3021c06e8c2b4953e099357aa (diff) | |
download | op-kernel-dev-5ef76cb7c19acd5531806c8a1be4559e0c2d77d1.zip op-kernel-dev-5ef76cb7c19acd5531806c8a1be4559e0c2d77d1.tar.gz |
media: siano: be sure to not override devpath size
Right now, at siano driver, all places where devpath is
defined has sizeof(devpath) == 32. So, there's no practical
risc of going past devpath array anywhere.
Still, code changes might cause troubles. It also confuses
Coverity:
CID 139059 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
9. fixed_size_dest: You might overrun the 32-character
fixed-size string entry->devpath by copying devpath
without checking the length.
10. parameter_as_source: Note: This defect has an
elevated risk because the source argument
is a parameter of the current function.
So, explicitly limit strcmp() and strcpy() to ensure that the
devpath size (32) will be respected.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Diffstat (limited to 'drivers/media/common/siano')
-rw-r--r-- | drivers/media/common/siano/smscoreapi.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c index b5dcc6d..1c93258 100644 --- a/drivers/media/common/siano/smscoreapi.c +++ b/drivers/media/common/siano/smscoreapi.c @@ -415,8 +415,8 @@ EXPORT_SYMBOL_GPL(smscore_get_board_id); struct smscore_registry_entry_t { struct list_head entry; - char devpath[32]; - int mode; + char devpath[32]; + int mode; enum sms_device_type_st type; }; @@ -442,7 +442,7 @@ static struct smscore_registry_entry_t *smscore_find_registry(char *devpath) next != &g_smscore_registry; next = next->next) { entry = (struct smscore_registry_entry_t *) next; - if (!strcmp(entry->devpath, devpath)) { + if (!strncmp(entry->devpath, devpath, sizeof(entry->devpath))) { kmutex_unlock(&g_smscore_registrylock); return entry; } @@ -450,7 +450,7 @@ static struct smscore_registry_entry_t *smscore_find_registry(char *devpath) entry = kmalloc(sizeof(*entry), GFP_KERNEL); if (entry) { entry->mode = default_mode; - strcpy(entry->devpath, devpath); + strlcpy(entry->devpath, devpath, sizeof(entry->devpath)); list_add(&entry->entry, &g_smscore_registry); } else pr_err("failed to create smscore_registry.\n"); @@ -733,7 +733,7 @@ int smscore_register_device(struct smsdevice_params_t *params, dev->postload_handler = params->postload_handler; dev->device_flags = params->flags; - strcpy(dev->devpath, params->devpath); + strlcpy(dev->devpath, params->devpath, sizeof(dev->devpath)); smscore_registry_settype(dev->devpath, params->device_type); |