From patchwork Mon Apr 23 13:14:30 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mauro Carvalho Chehab <mchehab@s-opensource.com>
X-Patchwork-Id: 10356991
Return-Path: <linux-media-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7E58260225 for <patchwork-linux-media@patchwork.kernel.org>;
	Mon, 23 Apr 2018 13:14:38 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6DF8228AB2
	for <patchwork-linux-media@patchwork.kernel.org>;
	Mon, 23 Apr 2018 13:14:38 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 5FA2828AC3; Mon, 23 Apr 2018 13:14:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.4 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI,URIBL_RHS_DOB autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CB54F28AB2
	for <patchwork-linux-media@patchwork.kernel.org>;
	Mon, 23 Apr 2018 13:14:37 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755203AbeDWNOg (ORCPT
	<rfc822;patchwork-linux-media@patchwork.kernel.org>);
	Mon, 23 Apr 2018 09:14:36 -0400
Received: from osg.samsung.com ([64.30.133.232]:58921 "EHLO osg.samsung.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1754949AbeDWNOf (ORCPT <rfc822;linux-media@vger.kernel.org>);
	Mon, 23 Apr 2018 09:14:35 -0400
Received: from localhost (localhost [127.0.0.1])
	by osg.samsung.com (Postfix) with ESMTP id 48D533DD7B;
	Mon, 23 Apr 2018 06:14:35 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at dev.s-opensource.com
Received: from osg.samsung.com ([127.0.0.1])
	by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id iRSI21yuUcTx; Mon, 23 Apr 2018 06:14:33 -0700 (PDT)
Received: from smtp.s-opensource.com (177.18.30.209.dynamic.adsl.gvt.net.br
	[177.18.30.209])
	by osg.samsung.com (Postfix) with ESMTPSA id A2DB33DD73;
	Mon, 23 Apr 2018 06:14:33 -0700 (PDT)
Received: from mchehab by smtp.s-opensource.com with local (Exim 4.90_1)
	(envelope-from <mchehab@smtp.s-opensource.com>)
	id 1fAbId-0004Ce-4e; Mon, 23 Apr 2018 09:14:31 -0400
From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Cc: Mauro Carvalho Chehab <mchehab@s-opensource.com>,
	Linux Media Mailing List <linux-media@vger.kernel.org>,
	Mauro Carvalho Chehab <mchehab@infradead.org>,
	Markus Elfring <elfring@users.sourceforge.net>,
	Hans Verkuil <hansverk@cisco.com>,
	Tomoki Sekiyama <tomoki.sekiyama@gmail.com>
Subject: [PATCH] media: siano: be sure to not override devpath size
Date: Mon, 23 Apr 2018 09:14:30 -0400
Message-Id: 
 <74e03b1c4caa132234039652646f8066fde865a5.1524489265.git.mchehab@s-opensource.com>
X-Mailer: git-send-email 2.14.3
To: unlisted-recipients:; (no To-header on input)
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Right now, at siano driver, all places where devpath is
defined has sizeof(devpath) == 32. So, there's no practical
risc of going past devpath array anywhere.

Still, code changes might cause troubles. It also confuses
Coverity:
	CID 139059 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
	9. fixed_size_dest: You might overrun the 32-character
	   fixed-size string entry->devpath by copying devpath
	   without checking the length.
	10. parameter_as_source: Note: This defect has an
	    elevated risk because the source argument
	    is a parameter of the current function.

So, explicitly limit strcmp() and strcpy() to ensure that the
devpath size (32) will be respected.

Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
---
 drivers/media/common/siano/smscoreapi.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c
index b5dcc6d1fe90..1c93258a2d47 100644
--- a/drivers/media/common/siano/smscoreapi.c
+++ b/drivers/media/common/siano/smscoreapi.c
@@ -415,8 +415,8 @@ EXPORT_SYMBOL_GPL(smscore_get_board_id);
 
 struct smscore_registry_entry_t {
 	struct list_head entry;
-	char			devpath[32];
-	int				mode;
+	char devpath[32];
+	int mode;
 	enum sms_device_type_st	type;
 };
 
@@ -442,7 +442,7 @@ static struct smscore_registry_entry_t *smscore_find_registry(char *devpath)
 	     next != &g_smscore_registry;
 	     next = next->next) {
 		entry = (struct smscore_registry_entry_t *) next;
-		if (!strcmp(entry->devpath, devpath)) {
+		if (!strncmp(entry->devpath, devpath, sizeof(entry->devpath))) {
 			kmutex_unlock(&g_smscore_registrylock);
 			return entry;
 		}
@@ -450,7 +450,7 @@ static struct smscore_registry_entry_t *smscore_find_registry(char *devpath)
 	entry = kmalloc(sizeof(*entry), GFP_KERNEL);
 	if (entry) {
 		entry->mode = default_mode;
-		strcpy(entry->devpath, devpath);
+		strlcpy(entry->devpath, devpath, sizeof(entry->devpath));
 		list_add(&entry->entry, &g_smscore_registry);
 	} else
 		pr_err("failed to create smscore_registry.\n");
@@ -733,7 +733,7 @@ int smscore_register_device(struct smsdevice_params_t *params,
 	dev->postload_handler = params->postload_handler;
 
 	dev->device_flags = params->flags;
-	strcpy(dev->devpath, params->devpath);
+	strlcpy(dev->devpath, params->devpath, sizeof(dev->devpath));
 
 	smscore_registry_settype(dev->devpath, params->device_type);