Commit e4d8a299 authored by Mikulas Patocka's avatar Mikulas Patocka Committed by Linus Torvalds

hex2bin: fix access beyond string end

If we pass too short string to "hex2bin" (and the string size without
the terminating NUL character is even), "hex2bin" reads one byte after
the terminating NUL character.  This patch fixes it.

Note that hex_to_bin returns -1 on error and hex2bin return -EINVAL on
error - so we can't just return the variable "hi" or "lo" on error.
This inconsistency may be fixed in the next merge window, but for the
purpose of fixing this bug, we just preserve the existing behavior and
return -1 and -EINVAL.
Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
Reviewed-by: default avatarAndy Shevchenko <andy.shevchenko@gmail.com>
Fixes: b7804983 ("lib: add error checking to hex2bin")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent e5be1576
......@@ -63,10 +63,13 @@ EXPORT_SYMBOL(hex_to_bin);
int hex2bin(u8 *dst, const char *src, size_t count)
{
while (count--) {
int hi = hex_to_bin(*src++);
int lo = hex_to_bin(*src++);
int hi, lo;
if ((hi < 0) || (lo < 0))
hi = hex_to_bin(*src++);
if (unlikely(hi < 0))
return -EINVAL;
lo = hex_to_bin(*src++);
if (unlikely(lo < 0))
return -EINVAL;
*dst++ = (hi << 4) | lo;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment