Currently the 'c2dev' device data is not zeroed when its allocated. Coupled with the fact strncpy() *may not* provide a NUL terminator means that a 1-byte leak would be possible *if* this was ever copied to userspace.
To prevent such a failing, let's first ensure the 'c2dev' device data area is fully zeroed out and ensure the buffer will always be NUL terminated by using the kernel's strscpy() which a) uses the destination (instead of the source) size as the bytes to copy and b) is *always* NUL terminated. Cc: Rodolfo Giometti <[email protected]> Cc: "Eurotech S.p.A" <[email protected]> Reported-by: Geert Uytterhoeven <[email protected]> Signed-off-by: Lee Jones <[email protected]> --- drivers/misc/c2port/core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c index 80d87e8a0bea9..0de538a1cc1c6 100644 --- a/drivers/misc/c2port/core.c +++ b/drivers/misc/c2port/core.c @@ -899,7 +899,7 @@ struct c2port_device *c2port_device_register(char *name, unlikely(!ops->c2d_get) || unlikely(!ops->c2d_set)) return ERR_PTR(-EINVAL); - c2dev = kmalloc(sizeof(struct c2port_device), GFP_KERNEL); + c2dev = kzalloc(sizeof(struct c2port_device), GFP_KERNEL); if (unlikely(!c2dev)) return ERR_PTR(-ENOMEM); @@ -923,7 +923,7 @@ struct c2port_device *c2port_device_register(char *name, } dev_set_drvdata(c2dev->dev, c2dev); - strncpy(c2dev->name, name, C2PORT_NAME_LEN - 1); + strscpy(c2dev->name, name, sizeof(c2dev->name)); c2dev->ops = ops; mutex_init(&c2dev->mutex); -- 2.25.1
