diff options
author | Colin Ian King <colin.king@canonical.com> | 2018-10-16 19:03:43 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-12-01 09:13:41 +0100 |
commit | 02322e7a97f9e5a19400901b9e9c978b728129e6 (patch) | |
tree | 055e6e8832b3fb8204472ff1f542ef76cbc9c676 /tools | |
parent | 1827fafe4887a41246fef1e3876e8a988968d2e9 (diff) | |
download | linux-stable-02322e7a97f9e5a19400901b9e9c978b728129e6.tar.gz linux-stable-02322e7a97f9e5a19400901b9e9c978b728129e6.tar.bz2 linux-stable-02322e7a97f9e5a19400901b9e9c978b728129e6.zip |
usbip: tools: fix atoi() on non-null terminated string
[ Upstream commit e325808c0051b16729ffd472ff887c6cae5c6317 ]
Currently the call to atoi is being passed a single char string
that is not null terminated, so there is a potential read overrun
along the stack when parsing for an integer value. Fix this by
instead using a 2 char string that is initialized to all zeros
to ensure that a 1 char read into the string is always terminated
with a \0.
Detected by cppcheck:
"Invalid atoi() argument nr 1. A nul-terminated string is required."
Fixes: 3391ba0e2792 ("usbip: tools: Extract generic code to be shared with vudc backend")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'tools')
-rw-r--r-- | tools/usb/usbip/libsrc/usbip_host_common.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/tools/usb/usbip/libsrc/usbip_host_common.c b/tools/usb/usbip/libsrc/usbip_host_common.c index 6ff7b601f854..f5ad219a324e 100644 --- a/tools/usb/usbip/libsrc/usbip_host_common.c +++ b/tools/usb/usbip/libsrc/usbip_host_common.c @@ -43,7 +43,7 @@ static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) int size; int fd; int length; - char status; + char status[2] = { 0 }; int value = 0; size = snprintf(status_attr_path, sizeof(status_attr_path), @@ -61,14 +61,14 @@ static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) return -1; } - length = read(fd, &status, 1); + length = read(fd, status, 1); if (length < 0) { err("error reading attribute %s", status_attr_path); close(fd); return -1; } - value = atoi(&status); + value = atoi(status); return value; } |