Commit 0278b34b authored by Geert Uytterhoeven's avatar Geert Uytterhoeven Committed by Mark Brown

spi: spidev_test: Fix buffer overflow in unescape()

Sometimes spidev_test crashes with:

    *** Error in `spidev_test': munmap_chunk(): invalid pointer: 0x00022020 ***
    Aborted

or just

    Segmentation fault

This is due to transfer_escaped_string() miscalculating the required
size of the buffer by one byte, causing a buffer overflow in unescape().

Drop the bogus "+ 1" in the strlen() parameter to fix this.

Note that unescape() never copies the zero-terminator of the source
string, so it writes at most as many bytes as the length of the source
string.

Fixes: 30061915 (spi: spidev_test: Added input buffer from the terminal)
Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: default avatarMark Brown <broonie@kernel.org>
Cc: <stable@vger.kernel.org> # v4.5+
parent 29b4817d
...@@ -284,7 +284,7 @@ static void parse_opts(int argc, char *argv[]) ...@@ -284,7 +284,7 @@ static void parse_opts(int argc, char *argv[])
static void transfer_escaped_string(int fd, char *str) static void transfer_escaped_string(int fd, char *str)
{ {
size_t size = strlen(str + 1); size_t size = strlen(str);
uint8_t *tx; uint8_t *tx;
uint8_t *rx; uint8_t *rx;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment