shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-07 19:30:30 +09:00
Code Issues Packages Projects Releases Wiki Activity

vfm: string without null-termination [1/1]

Browse Source 
PD#OTT-4743

Problem:
string withou null-termination

Solution:
ensure there is a null-termination in the string

Verify:
p212

Change-Id: Icfb6e39741b5d26611bbd316d6c423b8d4715105
Signed-off-by: apollo.ling <apollo.ling@amlogic.com>
This commit is contained in:
apollo.ling
2019-06-25 11:11:48 +08:00
committed by Luan Yuan
parent e7751ff446
commit ace09d7eea
1 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
drivers/amlogic/media/common/vfm/vfm.c
View File

@@ -738,17 +738,19 @@ static long vfm_ioctl(struct file *file, unsigned int cmd, ulong arg)
struct vfmctl *user_argp = (void __user *)arg;
struct vfmctl argp;
memset(&argp, 0, sizeof(struct vfmctl));
switch (cmd) {
case VFM_IOCTL_CMD_SET:{
ret =
copy_from_user(argp.name, user_argp->name, sizeof(argp.name));
copy_from_user(argp.name, user_argp->name, sizeof(argp.name)-1);
ret |=
copy_from_user(argp.val, user_argp->val, sizeof(argp.val));
copy_from_user(argp.val, user_argp->val, sizeof(argp.val) - 1);
if (ret)
ret = -EINVAL;
else
ret =
vfm_map_store(NULL, NULL, argp.val, sizeof(argp.val));
vfm_map_store(NULL, NULL, argp.val, sizeof(argp.val) - 1);
}
break;
case VFM_IOCTL_CMD_GET:{
@@ -765,9 +767,9 @@ static long vfm_ioctl(struct file *file, unsigned int cmd, ulong arg)
break;
case VFM_IOCTL_CMD_ADD:{
ret =
copy_from_user(argp.name, user_argp->name, sizeof(argp.name));
copy_from_user(argp.name, user_argp->name, sizeof(argp.name)-1);
ret |=
copy_from_user(argp.val, user_argp->val, sizeof(argp.val));
copy_from_user(argp.val, user_argp->val, sizeof(argp.val) - 1);
if (ret)
ret = -EINVAL;
else
@@ -776,7 +778,7 @@ static long vfm_ioctl(struct file *file, unsigned int cmd, ulong arg)
break;
case VFM_IOCTL_CMD_RM:{
ret =
copy_from_user(argp.val, user_argp->val, sizeof(argp.val));
copy_from_user(argp.val, user_argp->val, sizeof(argp.val) - 1);
if (ret)
ret = -EINVAL;
else
@@ -785,16 +787,15 @@ static long vfm_ioctl(struct file *file, unsigned int cmd, ulong arg)
break;
case VFM_IOCTL_CMD_DUMP:{
ret =
copy_from_user(argp.val, user_argp->val, sizeof(argp.val));
copy_from_user(argp.val, user_argp->val, sizeof(argp.val) - 1);
if (ret)
ret = -EINVAL;
argp.val[sizeof(argp.val) - 1] = '\0';
vfm_dump_provider(argp.val);
}
break;
case VFM_IOCTL_CMD_ADDDUMMY:{
ret =
copy_from_user(argp.val, user_argp->val, sizeof(argp.val));
copy_from_user(argp.val, user_argp->val, sizeof(argp.val) - 1);
if (ret)
ret = -EINVAL;
add_dummy_receiver(argp.val);