The "einj_buf" buffer is 32 chars. Verify that "count" is not too large
for that. Also leave the last character as a NUL terminator to ensure
the string is properly terminated.
Fixes: 0c6176e1e186 ("ACPI: APEI: EINJ: Enable the discovery of EINJv2 capabilities")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
v2: I messed up the sizeof() calculation in the copy_from_user() and I put
the parentheses in the wrong place in v1.
drivers/acpi/apei/einj-core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
index d6d7e36e3647..2206cbbdccfa 100644
--- a/drivers/acpi/apei/einj-core.c
+++ b/drivers/acpi/apei/einj-core.c
@@ -826,8 +826,11 @@ static ssize_t error_type_set(struct file *file, const char __user *buf,
int rc;
u64 val;
+ if (count > sizeof(einj_buf))
+ return -EINVAL;
+
memset(einj_buf, 0, sizeof(einj_buf));
- if (copy_from_user(einj_buf, buf, count))
+ if (copy_from_user(einj_buf, buf, min(count, sizeof(einj_buf) - 1)))
return -EFAULT;
if (strncmp(einj_buf, "V2_", 3) == 0) {
--
2.47.2
