| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260204101536.3311-1-iprintercanon@gmail.com>
Date: Wed, 4 Feb 2026 10:15:33 +0000
From: Artem Lytkin <iprintercanon@...il.com>
To: Sudip Mukherjee <sudipm.mukherjee@...il.com>,
Teddy Wang <teddy.wang@...iconmotion.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: linux-fbdev@...r.kernel.org,
linux-staging@...ts.linux.dev,
linux-kernel@...r.kernel.org,
Artem Lytkin <iprintercanon@...il.com>
Subject: [PATCH v2 1/4] staging: sm750fb: add bounds checking to option parsing in lynxfb_setup()
Replace strcat() with memcpy() and add explicit bounds checking on the
remaining buffer space before each copy. The original code lacked any
validation that the write position stays within the allocated buffer.
Signed-off-by: Artem Lytkin <iprintercanon@...il.com>
---
drivers/staging/sm750fb/sm750.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/sm750fb/sm750.c b/drivers/staging/sm750fb/sm750.c
index fecd7457e..0eacb522d 100644
--- a/drivers/staging/sm750fb/sm750.c
+++ b/drivers/staging/sm750fb/sm750.c
@@ -1163,8 +1163,15 @@ static int __init lynxfb_setup(char *options)
} else if (!strncmp(opt, "dual", strlen("dual"))) {
g_dualview = 1;
} else {
- strcat(tmp, opt);
- tmp += strlen(opt);
+ size_t opt_len = strlen(opt);
+ size_t remaining = len - (tmp - g_settings);
+
+ if (opt_len + 1 >= remaining) {
+ pr_warn("option string too long\n");
+ break;
+ }
+ memcpy(tmp, opt, opt_len);
+ tmp += opt_len;
if (options)
*tmp++ = ':';
else
--
2.43.0
Powered by blists - more mailing lists