From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751702AbdBOD1s (ORCPT <rfc822;w@1wt.eu>);
        Tue, 14 Feb 2017 22:27:48 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:54802 "EHLO
        out1-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1751593AbdBOD1q (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Feb 2017 22:27:46 -0500
X-ME-Sender: <xms:scqjWMlZofE2ZlUYqlB97pLLDZ1PQkaCXjh79D-vu5W2YLgAnB1P5g>
X-Sasl-enc: ixYW6blpbEtYzwOeYKd7lMXh7LdXKoF7fU15abMOIIym 1487129264
From: "Tobin C. Harding" <me@tobin.cc>
To: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>,
        noralf@tronnes.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org,
        "Tobin C. Harding" <me@tobin.cc>
Subject: [PATCH v2 1/3] staging: fbtft: Fix buffer overflow vulnerability
Date: Wed, 15 Feb 2017 14:27:23 +1100
Message-Id: <1487129245-24970-2-git-send-email-me@tobin.cc>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1487129245-24970-1-git-send-email-me@tobin.cc>
References: <1487129245-24970-1-git-send-email-me@tobin.cc>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Module copies a user supplied string (module parameter) into a buffer
using strncpy() and does not check that the buffer is null terminated.

Replace call to strncpy() with call to strlcpy() ensuring that the
buffer is null terminated.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
---
 drivers/staging/fbtft/fbtft_device.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/fbtft/fbtft_device.c b/drivers/staging/fbtft/fbtft_device.c
index de46f8d..7b7223b 100644
--- a/drivers/staging/fbtft/fbtft_device.c
+++ b/drivers/staging/fbtft/fbtft_device.c
@@ -1483,7 +1483,7 @@ static int __init fbtft_device_init(void)
 			displays[i].pdev->name = name;
 			displays[i].spi = NULL;
 		} else {
-			strncpy(displays[i].spi->modalias, name, SPI_NAME_SIZE);
+			strlcpy(displays[i].spi->modalias, name, SPI_NAME_SIZE);
 			displays[i].pdev = NULL;
 		}
 	}
-- 
2.7.4