[PATCH 1/2] staging/atomisp: one char read beyond end of string

Linux Media Controller development
 help / color / mirror / Atom feed

* [PATCH 1/2] staging/atomisp: one char read beyond end of string
       [not found] <HE1PR0801MB18654EFD46513A845BBD4BAD9CE00@HE1PR0801MB1865.eurprd08.prod.outlook.com>
@ 2017-05-15 10:01 ` Dan Carpenter
  2017-05-15 10:01 ` [PATCH 2/2] staging/atomisp: putting NULs in the wrong place Dan Carpenter
  1 sibling, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2017-05-15 10:01 UTC (permalink / raw)
  To: Mauro Carvalho Chehab, David Binderman, Alan Cox
  Cc: Greg Kroah-Hartman, linux-media, devel

We should verify that "ix < max_len" before we test whether we have
reached the NUL terminator.

Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Reported-by: David Binderman <dcb314@hotmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/staging/media/atomisp/pci/atomisp2/css2400/hive_isp_css_include/string_support.h b/drivers/staging/media/atomisp/pci/atomisp2/css2400/hive_isp_css_include/string_support.h
index 568631698a3d..74b5a1c7ac9a 100644
--- a/drivers/staging/media/atomisp/pci/atomisp2/css2400/hive_isp_css_include/string_support.h
+++ b/drivers/staging/media/atomisp/pci/atomisp2/css2400/hive_isp_css_include/string_support.h
@@ -72,9 +72,8 @@ static size_t strnlen_s(
 		return 0;
 	}
 
-	for (ix=0;
-		((src_str[ix] != '\0') && (ix< max_len));
-		++ix) /*Nothing else to do*/;
+	for (ix = 0; ix < max_len && src_str[ix] != '\0'; ix++)
+		;
 
 	/* On Error, it will return src_size == max_len*/
 	return ix;

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] staging/atomisp: putting NULs in the wrong place
       [not found] <HE1PR0801MB18654EFD46513A845BBD4BAD9CE00@HE1PR0801MB1865.eurprd08.prod.outlook.com>
  2017-05-15 10:01 ` [PATCH 1/2] staging/atomisp: one char read beyond end of string Dan Carpenter
@ 2017-05-15 10:01 ` Dan Carpenter
  2017-05-15 10:21   ` walter harms
  1 sibling, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2017-05-15 10:01 UTC (permalink / raw)
  To: Mauro Carvalho Chehab, Alan Cox, David Binderman
  Cc: Greg Kroah-Hartman, linux-media, devel, kernel-janitors

We're putting the NUL terminators one space beyond where they belong.
This doesn't show up in testing because all but the callers put a NUL in
the correct place themselves.  LOL.  It causes a static checker warning
about buffer overflows.

Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/staging/media/atomisp/pci/atomisp2/css2400/hive_isp_css_include/string_support.h b/drivers/staging/media/atomisp/pci/atomisp2/css2400/hive_isp_css_include/string_support.h
index 74b5a1c7ac9a..c53241a7a281 100644
--- a/drivers/staging/media/atomisp/pci/atomisp2/css2400/hive_isp_css_include/string_support.h
+++ b/drivers/staging/media/atomisp/pci/atomisp2/css2400/hive_isp_css_include/string_support.h
@@ -117,7 +117,7 @@ STORAGE_CLASS_INLINE int strncpy_s(
 
 	/* dest_str is big enough for the len */
 	strncpy(dest_str, src_str, len);
-	dest_str[len+1] = '\0';
+	dest_str[len] = '\0';
 	return 0;
 }
 
@@ -157,7 +157,7 @@ STORAGE_CLASS_INLINE int strcpy_s(
 
 	/* dest_str is big enough for the len */
 	strncpy(dest_str, src_str, len);
-	dest_str[len+1] = '\0';
+	dest_str[len] = '\0';
 	return 0;
 }
 

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 2/2] staging/atomisp: putting NULs in the wrong place
  2017-05-15 10:01 ` [PATCH 2/2] staging/atomisp: putting NULs in the wrong place Dan Carpenter
@ 2017-05-15 10:21   ` walter harms
  2017-05-15 10:27     ` Dan Carpenter
  0 siblings, 1 reply; 4+ messages in thread
From: walter harms @ 2017-05-15 10:21 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Mauro Carvalho Chehab, Alan Cox, David Binderman,
	Greg Kroah-Hartman, linux-media, devel, kernel-janitors



Am 15.05.2017 12:01, schrieb Dan Carpenter:
> We're putting the NUL terminators one space beyond where they belong.
> This doesn't show up in testing because all but the callers put a NUL in
> the correct place themselves.  LOL.  It causes a static checker warning
> about buffer overflows.
> 
> Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/staging/media/atomisp/pci/atomisp2/css2400/hive_isp_css_include/string_support.h b/drivers/staging/media/atomisp/pci/atomisp2/css2400/hive_isp_css_include/string_support.h
> index 74b5a1c7ac9a..c53241a7a281 100644
> --- a/drivers/staging/media/atomisp/pci/atomisp2/css2400/hive_isp_css_include/string_support.h
> +++ b/drivers/staging/media/atomisp/pci/atomisp2/css2400/hive_isp_css_include/string_support.h
> @@ -117,7 +117,7 @@ STORAGE_CLASS_INLINE int strncpy_s(
>  
>  	/* dest_str is big enough for the len */
>  	strncpy(dest_str, src_str, len);
> -	dest_str[len+1] = '\0';
> +	dest_str[len] = '\0';
>  	return 0;
>  }
>  
> @@ -157,7 +157,7 @@ STORAGE_CLASS_INLINE int strcpy_s(
>  
>  	/* dest_str is big enough for the len */
>  	strncpy(dest_str, src_str, len);
> -	dest_str[len+1] = '\0';
> +	dest_str[len] = '\0';
>  	return 0;
>  }
>  

can this strcpy_s() replaced with strlcpy ?

re,
 wh


> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 2/2] staging/atomisp: putting NULs in the wrong place
  2017-05-15 10:21   ` walter harms
@ 2017-05-15 10:27     ` Dan Carpenter
  0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2017-05-15 10:27 UTC (permalink / raw)
  To: walter harms
  Cc: Mauro Carvalho Chehab, Alan Cox, David Binderman,
	Greg Kroah-Hartman, linux-media, devel, kernel-janitors

On Mon, May 15, 2017 at 12:21:45PM +0200, walter harms wrote:
> can this strcpy_s() replaced with strlcpy ?
> 

These functions obviously should be removed, yes.  Please send a patch
for that and we can drop my patches.  Give David reported-by credit.

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-05-15 10:28 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <HE1PR0801MB18654EFD46513A845BBD4BAD9CE00@HE1PR0801MB1865.eurprd08.prod.outlook.com>
2017-05-15 10:01 ` [PATCH 1/2] staging/atomisp: one char read beyond end of string Dan Carpenter
2017-05-15 10:01 ` [PATCH 2/2] staging/atomisp: putting NULs in the wrong place Dan Carpenter
2017-05-15 10:21   ` walter harms
2017-05-15 10:27     ` Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox