[PATCH 2/2] ALSA: control - off by one in store_mode()
Jaroslav Kysela
perex at perex.cz
Fri Apr 2 19:52:43 CEST 2021
Dne 02. 04. 21 v 13:42 Dan Carpenter napsal(a):
> If count is 16 then this will put the NUL terminator one element beyond
> the end of the array.
>
> Fixes: cb17fe0045aa ("ALSA: control - add sysfs support to the LED trigger module")
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
No idea why I added + 1... Thanks for your correction.
Reviewed-by: Jaroslav Kysela <perex at perex.cz>
> ---
> sound/core/control_led.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sound/core/control_led.c b/sound/core/control_led.c
> index 202b475d0bf3..ab5a455723c8 100644
> --- a/sound/core/control_led.c
> +++ b/sound/core/control_led.c
> @@ -391,7 +391,7 @@ static ssize_t store_mode(struct device *dev, struct device_attribute *attr,
> {
> struct snd_ctl_led *led = container_of(dev, struct snd_ctl_led, dev);
> char _buf[16];
> - size_t l = min(count, sizeof(_buf) - 1) + 1;
> + size_t l = min(count, sizeof(_buf) - 1);
> enum snd_ctl_led_mode mode;
>
> memcpy(_buf, buf, l);
>
--
Jaroslav Kysela <perex at perex.cz>
Linux Sound Maintainer; ALSA Project; Red Hat, Inc.
More information about the Alsa-devel
mailing list