From: Zubin Mithra <[email protected]> commit 212ac181c158c09038c474ba68068be49caecebb upstream.
When ioctl calls are made with non-null-terminated userspace strings, strlcpy causes an OOB-read from within strlen. Fix by changing to use strscpy instead. Signed-off-by: Zubin Mithra <[email protected]> Reviewed-by: Guenter Roeck <[email protected]> Cc: <[email protected]> Signed-off-by: Takashi Iwai <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- sound/core/seq/seq_clientmgr.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info /* fill the info fields */ if (client_info.name[0]) - strlcpy(client->name, client_info.name, sizeof(client->name)); + strscpy(client->name, client_info.name, sizeof(client->name)); client->filter = client_info.filter; client->event_lost = client_info.event_lost; @@ -1558,7 +1558,7 @@ static int snd_seq_ioctl_create_queue(st /* set queue name */ if (! info.name[0]) snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue); - strlcpy(q->name, info.name, sizeof(q->name)); + strscpy(q->name, info.name, sizeof(q->name)); snd_use_lock_free(&q->use_lock); if (copy_to_user(arg, &info, sizeof(info))) @@ -1636,7 +1636,7 @@ static int snd_seq_ioctl_set_queue_info( queuefree(q); return -EPERM; } - strlcpy(q->name, info.name, sizeof(q->name)); + strscpy(q->name, info.name, sizeof(q->name)); queuefree(q); return 0;
