From 71d69e82f4168713afd89804d6e5f52d0e3848a2 Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Mon, 21 Jun 2021 21:36:48 +0200 Subject: [PATCH] platform/x86: think-lmi: Return EINVAL when kbdlang gets set to a 0 length string MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit 0ddcf3a6b442 ("platform/x86: think-lmi: Avoid potential read before start of the buffer") moved the length == 0 up to before stripping the '\n' which typically gets added when users echo a value to a sysfs-attribute from the shell. This avoids a potential buffer-underrun, but it also causes a behavioral change, prior to this change "echo > kbdlang", iow writing just a single '\n' would result in an EINVAL error, but after the change this gets accepted setting kbdlang to an empty string. Fix this by replacing the manual '\n' check with using strchrnul() to get the length till '\n' or terminating 0 in one go; and then do the length != 0 check after this. Fixes: 0ddcf3a6b442 ("platform/x86: think-lmi: Avoid potential read before start of the buffer") Reported-by: Juha Leppänen Suggested-by: Andy Shevchenko Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210621193648.44138-1-hdegoede@redhat.com --- drivers/platform/x86/think-lmi.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c index c6c9fbb8a53e..b57061079288 100644 --- a/drivers/platform/x86/think-lmi.c +++ b/drivers/platform/x86/think-lmi.c @@ -442,14 +442,9 @@ static ssize_t kbdlang_store(struct kobject *kobj, struct tlmi_pwd_setting *setting = to_tlmi_pwd_setting(kobj); int length; - length = strlen(buf); - if (!length) - return -EINVAL; - - if (buf[length-1] == '\n') - length--; - - if (length >= TLMI_LANG_MAXLEN) + /* Calculate length till '\n' or terminating 0 */ + length = strchrnul(buf, '\n') - buf; + if (!length || length >= TLMI_LANG_MAXLEN) return -EINVAL; memcpy(setting->kbdlang, buf, length);