of/device: Prevent buffer overflow in of_device_modalias()

commit 08ab58d9de3eb8498ae0585001d0975e46217a39 upstream. As of_device_get_modalias() returns the number of bytes that would have been written to the target string, regardless of how much did fit in the buffer, it's possible that the returned index points beyond the buffer passed to of_device_modalias() - causing memory beyond the buffer to be null terminated. Fixes: 0634c2958927 ("of: Add function for generating a DT modalias with a newline") Cc: Rob Herring <robh@kernel.org> Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Rob Herring <robh@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Bjorn Andersson <bjorn.andersson@linaro.org> 2017-08-23 18:04:04 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-09-09 17:39:28 +0200
commit: d29e6c2a62cfa53e131e4e669d7fa0492c200b04 (patch)
tree: e1bfeda3a0a3e10d47b229f81e9779cd967c1a43
parent: 9cbbaf10840410f4bf40d4e3a10a03fa8d3878ce (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/of/device.c b/drivers/of/device.c
index e0a28ea341fe..eabfa36383ce 100644
--- a/drivers/of/device.c
+++ b/drivers/of/device.c
@@ -274,6 +274,8 @@ ssize_t of_device_modalias(struct device *dev, char *str, ssize_t len)
 	ssize_t sl = of_device_get_modalias(dev, str, len - 2);
 	if (sl < 0)
 		return sl;
+	if (sl > len - 2)
+		return -ENOMEM;
 
 	str[sl++] = '\n';
 	str[sl] = 0;
author	Bjorn Andersson <bjorn.andersson@linaro.org>	2017-08-23 18:04:04 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-09-09 17:39:28 +0200
commit	d29e6c2a62cfa53e131e4e669d7fa0492c200b04 (patch)
tree	e1bfeda3a0a3e10d47b229f81e9779cd967c1a43
parent	9cbbaf10840410f4bf40d4e3a10a03fa8d3878ce (diff)