Commit d8ce9bd8 authored by Zubin Mithra's avatar Zubin Mithra Committed by DidntRead
Browse files

ALSA: seq: Fix OOB-reads from strlcpy 



commit 212ac181c158c09038c474ba68068be49caecebb upstream.

When ioctl calls are made with non-null-terminated userspace strings,
strlcpy causes an OOB-read from within strlen. Fix by changing to use
strscpy instead.

Signed-off-by: default avatarZubin Mithra <zsm@chromium.org>
Reviewed-by: default avatarGuenter Roeck <groeck@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 9ae79d3f

sound/core/seq/seq_clientmgr.c

+3 −3
Original line number Diff line number Diff line
@@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info(struct snd_seq_client *client, 


	/* fill the info fields */

	if (client_info.name[0])

		strlcpy(client->name, client_info.name, sizeof(client->name));

		strscpy(client->name, client_info.name, sizeof(client->name));



	client->filter = client_info.filter;

	client->event_lost = client_info.event_lost;
@@ -1564,7 +1564,7 @@ static int snd_seq_ioctl_create_queue(struct snd_seq_client *client, 
	/* set queue name */

	if (! info.name[0])

		snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue);

	strlcpy(q->name, info.name, sizeof(q->name));

	strscpy(q->name, info.name, sizeof(q->name));

	queuefree(q);



	if (copy_to_user(arg, &info, sizeof(info)))
@@ -1642,7 +1642,7 @@ static int snd_seq_ioctl_set_queue_info(struct snd_seq_client *client, 
		queuefree(q);

		return -EPERM;

	}

	strlcpy(q->name, info.name, sizeof(q->name));

	strscpy(q->name, info.name, sizeof(q->name));

	queuefree(q);



	return 0;