From: Geert Uytterhoeven Date: Fri, 9 Sep 2016 07:02:51 +0000 (+0200) Subject: spi: spidev_test: Fix buffer overflow in unescape() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=0278b34bf15f8d8a609595b15909cd8622dd64ca;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git spi: spidev_test: Fix buffer overflow in unescape() Sometimes spidev_test crashes with: *** Error in `spidev_test': munmap_chunk(): invalid pointer: 0x00022020 *** Aborted or just Segmentation fault This is due to transfer_escaped_string() miscalculating the required size of the buffer by one byte, causing a buffer overflow in unescape(). Drop the bogus "+ 1" in the strlen() parameter to fix this. Note that unescape() never copies the zero-terminator of the source string, so it writes at most as many bytes as the length of the source string. Fixes: 30061915be6e3a2c (spi: spidev_test: Added input buffer from the terminal) Signed-off-by: Geert Uytterhoeven Signed-off-by: Mark Brown Cc: # v4.5+ --- diff --git a/tools/spi/spidev_test.c b/tools/spi/spidev_test.c index 8a73d8185316..f3825b676e38 100644 --- a/tools/spi/spidev_test.c +++ b/tools/spi/spidev_test.c @@ -284,7 +284,7 @@ static void parse_opts(int argc, char *argv[]) static void transfer_escaped_string(int fd, char *str) { - size_t size = strlen(str + 1); + size_t size = strlen(str); uint8_t *tx; uint8_t *rx;