hex2bin: fix access beyond string end
commite4d8a29997
upstream. If we pass too short string to "hex2bin" (and the string size without the terminating NUL character is even), "hex2bin" reads one byte after the terminating NUL character. This patch fixes it. Note that hex_to_bin returns -1 on error and hex2bin return -EINVAL on error - so we can't just return the variable "hi" or "lo" on error. This inconsistency may be fixed in the next merge window, but for the purpose of fixing this bug, we just preserve the existing behavior and return -1 and -EINVAL. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com> Fixes:b78049831f
("lib: add error checking to hex2bin") Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Родитель
4541645b58
Коммит
3437091fcc
|
@ -63,10 +63,13 @@ EXPORT_SYMBOL(hex_to_bin);
|
|||
int hex2bin(u8 *dst, const char *src, size_t count)
|
||||
{
|
||||
while (count--) {
|
||||
int hi = hex_to_bin(*src++);
|
||||
int lo = hex_to_bin(*src++);
|
||||
int hi, lo;
|
||||
|
||||
if ((hi < 0) || (lo < 0))
|
||||
hi = hex_to_bin(*src++);
|
||||
if (unlikely(hi < 0))
|
||||
return -EINVAL;
|
||||
lo = hex_to_bin(*src++);
|
||||
if (unlikely(lo < 0))
|
||||
return -EINVAL;
|
||||
|
||||
*dst++ = (hi << 4) | lo;
|
||||
|
|
Загрузка…
Ссылка в новой задаче