diff options
author | Zubin Mithra <zsm@chromium.org> | 2019-04-04 14:33:55 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-04-27 09:33:55 +0200 |
commit | ae9981cee7b321ae018a345beb0ed0eb09a0fc18 (patch) | |
tree | 5fdcf08014e1f1d73b8bfb8c9747ee5f890eb115 /sound/core | |
parent | 3efb978c3c73f66ed40157de2f45f7fda7bda059 (diff) |
ALSA: seq: Fix OOB-reads from strlcpy
commit 212ac181c158c09038c474ba68068be49caecebb upstream.
When ioctl calls are made with non-null-terminated userspace strings,
strlcpy causes an OOB-read from within strlen. Fix by changing to use
strscpy instead.
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'sound/core')
-rw-r--r-- | sound/core/seq/seq_clientmgr.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c index 73ee8476584d..0d0e0c2651c2 100644 --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info(struct snd_seq_client *client, /* fill the info fields */ if (client_info.name[0]) - strlcpy(client->name, client_info.name, sizeof(client->name)); + strscpy(client->name, client_info.name, sizeof(client->name)); client->filter = client_info.filter; client->event_lost = client_info.event_lost; @@ -1558,7 +1558,7 @@ static int snd_seq_ioctl_create_queue(struct snd_seq_client *client, /* set queue name */ if (! info.name[0]) snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue); - strlcpy(q->name, info.name, sizeof(q->name)); + strscpy(q->name, info.name, sizeof(q->name)); snd_use_lock_free(&q->use_lock); if (copy_to_user(arg, &info, sizeof(info))) @@ -1636,7 +1636,7 @@ static int snd_seq_ioctl_set_queue_info(struct snd_seq_client *client, queuefree(q); return -EPERM; } - strlcpy(q->name, info.name, sizeof(q->name)); + strscpy(q->name, info.name, sizeof(q->name)); queuefree(q); return 0; |