From patchwork Tue Nov 17 22:43:38 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 2088
Return-path: <linux-media-owner@vger.kernel.org>
Envelope-to: mchehab@infradead.org
Delivery-date: Tue, 17 Nov 2009 22:44:38 +0000
Received: from bombadil.infradead.org [18.85.46.34]
	by pedra.chehab.org with IMAP (fetchmail-6.3.6)
	for <mchehab@localhost> (single-drop);
	Tue, 17 Nov 2009 20:51:59 -0200 (BRST)
Received: from vger.kernel.org ([209.132.176.167])
	by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux))
	id 1NAWms-0004sg-7B; Tue, 17 Nov 2009 22:44:38 +0000
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756537AbZKQWoY (ORCPT <rfc822; kmpark@infradead.org> + 1 other);
	Tue, 17 Nov 2009 17:44:24 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756585AbZKQWoU
	(ORCPT <rfc822;linux-media-outgoing>);
	Tue, 17 Nov 2009 17:44:20 -0500
Received: from smtp1.linux-foundation.org ([140.211.169.13]:37997 "EHLO
	smtp1.linux-foundation.org" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1756302AbZKQWoT (ORCPT
	<rfc822;linux-media@vger.kernel.org>);
	Tue, 17 Nov 2009 17:44:19 -0500
Received: from imap1.linux-foundation.org (imap1.linux-foundation.org
	[140.211.169.55])
	by smtp1.linux-foundation.org (8.14.2/8.13.5/Debian-3ubuntu1.1) with
	ESMTP id nAHMhdvp016247
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 17 Nov 2009 14:43:40 -0800
Received: from localhost.localdomain (localhost [127.0.0.1])
	by imap1.linux-foundation.org
	(8.13.5.20060308/8.13.5/Debian-3ubuntu1.1) with ESMTP id
	nAHMhc0D029228; Tue, 17 Nov 2009 14:43:38 -0800
Message-Id: <200911172243.nAHMhc0D029228@imap1.linux-foundation.org>
Subject: [patch 2/5] quickcam_messenger.c: possible buffer overflow while
	use strncat
To: mchehab@infradead.org
Cc: linux-media@vger.kernel.org, akpm@linux-foundation.org, strakh@ispras.ru
From: akpm@linux-foundation.org
Date: Tue, 17 Nov 2009 14:43:38 -0800
MIME-Version: 1.0
X-Spam-Status: No, hits=-3.518 required=5 tests=AWL, BAYES_00,
	OSDL_HEADER_SUBJECT_BRACKETED
X-Spam-Checker-Version: SpamAssassin 3.2.4-osdl_revision__1.47__
X-MIMEDefang-Filter: lf$Revision: 1.188 $
X-Scanned-By: MIMEDefang 2.63 on 140.211.169.13
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org

From: Alexander Strakh <strakh@ispras.ru>

In driver ./drivers/media/video/usbvideo/quickcam_messenger.c in line 91:

  91         usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));

After this line we use strncat:

  92         strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));

where sizeof(cam->input_physname) returns length of cam->input_phisname
without length for null-symbol.  But this parameter must be - "maximum
numbers of bytes to copy", i.e.:
sizeof(cam->input_physname)-strlen(cam->input_physname)-1.

In this case, after call to usb_make_path the similar drivers use strlcat.

Like in: drivers/hid/usbhid/hid-core.c:
1152         usb_make_path(dev, hid->phys, sizeof(hid->phys));
1153         strlcat(hid->phys, "/input", sizeof(hid->phys));

Found by Linux Driver Verification Project.

Use strlcat instead of strncat.

Signed-off-by: Alexander Strakh <strakh@ispras.ru>
Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 drivers/media/video/usbvideo/quickcam_messenger.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff -puN drivers/media/video/usbvideo/quickcam_messenger.c~quickcam_messengerc-possible-buffer-overflow-while-use-strncat drivers/media/video/usbvideo/quickcam_messenger.c
--- a/drivers/media/video/usbvideo/quickcam_messenger.c~quickcam_messengerc-possible-buffer-overflow-while-use-strncat
+++ a/drivers/media/video/usbvideo/quickcam_messenger.c
@@ -89,7 +89,7 @@ static void qcm_register_input(struct qc
 	int error;
 
 	usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
-	strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
+	strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
 
 	cam->input = input_dev = input_allocate_device();
 	if (!input_dev) {