[dm-devel] [PATCH] hex2bin: fix access beyond string end
Andy Shevchenko
andy.shevchenko at gmail.com
Tue Apr 26 10:37:08 UTC 2022
On Sun, Apr 24, 2022 at 10:48 PM Mikulas Patocka <mpatocka at redhat.com> wrote:
>
> If we pass too short string to "hex2bin" (and the string size without the
> terminating NUL character is even), "hex2bin" reads one byte after the
> terminating NUL character. This patch fixes it.
>
> Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>
> Cc: stable at vger.kernel.org
You need to provide a Fixes tag.
...
> while (count--) {
> - int hi = hex_to_bin(*src++);
> - int lo = hex_to_bin(*src++);
> + int hi, lo;
>
> - if ((hi < 0) || (lo < 0))
> + hi = hex_to_bin(*src++);
> + if (hi < 0)
> + return -EINVAL;
return hi;
> + lo = hex_to_bin(*src++);
> + if (lo < 0)
> return -EINVAL;
return lo;
> *dst++ = (hi << 4) | lo;
And on top of that it would be nice to understand if we need to
support half-bytes, but in any case it's not a scope of the patch
right now.
--
With Best Regards,
Andy Shevchenko
More information about the dm-devel
mailing list