On Tue, 9 Sep 2025 11:15:30 +0200 Ivan Vecera wrote:
> + /* Fetch image name and size from input */
> + strscpy(buf, *psrc, min(sizeof(buf), *psize));
> + rc = sscanf(buf, "%15s %u %n", name, &count, &pos);
> + if (!rc) {
> + /* No more data */
> + return 0;
> + } else if (rc == 1 || count > U32_MAX / sizeof(u32)) {
> + ZL3073X_FW_ERR_MSG(extack, "invalid component size");
> + return -EINVAL;
> + }
> + *psrc += pos;
> + *psize -= pos;
Still worried about pos not being bounds checked.
Admin can crash the kernel with invalid FW file.
if (pos > *psize)
/* error */
Also what if sscanf() return 2? pos is uninitialized?
