diff mbox series

HID: wacom: Check for string overflow from strscpy calls

Message ID 20230414182210.383218-1-jason.gerecke@wacom.com
State Accepted
Commit d9eef346b601afb0bd74b49e0db06f6a5cebd030
Headers show
Series HID: wacom: Check for string overflow from strscpy calls | expand

Commit Message

Gerecke, Jason April 14, 2023, 6:22 p.m. UTC 
From: Jason Gerecke <killertofu@gmail.com>

The strscpy function is able to return an error code when a copy would
overflow the size of the destination. The copy is stopped and the buffer
terminated before overflow actually occurs so it is safe to continue
execution, but we should still produce a warning should this occur.

Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
---
 drivers/hid/wacom_sys.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

Comments

Gerecke, Jason April 28, 2023, 5:32 p.m. UTC | #1 
On Fri, Apr 14, 2023 at 11:22 AM Jason Gerecke <killertofu@gmail.com> wrote:
>
> From: Jason Gerecke <killertofu@gmail.com>
>
> The strscpy function is able to return an error code when a copy would
> overflow the size of the destination. The copy is stopped and the buffer
> terminated before overflow actually occurs so it is safe to continue
> execution, but we should still produce a warning should this occur.
>
> Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
> Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
> ---
>  drivers/hid/wacom_sys.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
> index 8214896adadad..7192970d199a0 100644
> --- a/drivers/hid/wacom_sys.c
> +++ b/drivers/hid/wacom_sys.c
> @@ -2224,7 +2224,9 @@ static void wacom_update_name(struct wacom *wacom, const char *suffix)
>                 } else if (strstr(product_name, "Wacom") ||
>                            strstr(product_name, "wacom") ||
>                            strstr(product_name, "WACOM")) {
> -                       strscpy(name, product_name, sizeof(name));
> +                       if (strscpy(name, product_name, sizeof(name)) < 0) {
> +                               hid_warn(wacom->hdev, "String overflow while assembling device name");
> +                       }
>                 } else {
>                         snprintf(name, sizeof(name), "Wacom %s", product_name);
>                 }
> @@ -2242,7 +2244,9 @@ static void wacom_update_name(struct wacom *wacom, const char *suffix)
>                 if (name[strlen(name)-1] == ' ')
>                         name[strlen(name)-1] = '\0';
>         } else {
> -               strscpy(name, features->name, sizeof(name));
> +               if (strscpy(name, features->name, sizeof(name)) < 0) {
> +                       hid_warn(wacom->hdev, "String overflow while assembling device name");
> +               }
>         }
>
>         snprintf(wacom_wac->name, sizeof(wacom_wac->name), "%s%s",
> @@ -2500,8 +2504,10 @@ static void wacom_wireless_work(struct work_struct *work)
>                                 goto fail;
>                 }
>
> -               strscpy(wacom_wac->name, wacom_wac1->name,
> -                       sizeof(wacom_wac->name));
> +               if (strscpy(wacom_wac->name, wacom_wac1->name,
> +                       sizeof(wacom_wac->name)) < 0) {
> +                       hid_warn(wacom->hdev, "String overflow while assembling device name");
> +               }
>         }
>
>         return;
> --
> 2.40.0
>

Poking this thread again in case it got lost in the inbox...

Jason
---
Now instead of four in the eights place /
you’ve got three, ‘Cause you added one  /
(That is to say, eight) to the two,     /
But you can’t take seven from three,    /
So you look at the sixty-fours....
Peter Hutterer May 4, 2023, 4:34 a.m. UTC | #2 
On Fri, Apr 14, 2023 at 11:22:10AM -0700, Jason Gerecke wrote:
> From: Jason Gerecke <killertofu@gmail.com>
> 
> The strscpy function is able to return an error code when a copy would
> overflow the size of the destination. The copy is stopped and the buffer
> terminated before overflow actually occurs so it is safe to continue
> execution, but we should still produce a warning should this occur.
> 
> Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
> Reviewed-by: Ping Cheng <ping.cheng@wacom.com>

Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

Cheers,
  Peter

> ---
>  drivers/hid/wacom_sys.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
> index 8214896adadad..7192970d199a0 100644
> --- a/drivers/hid/wacom_sys.c
> +++ b/drivers/hid/wacom_sys.c
> @@ -2224,7 +2224,9 @@ static void wacom_update_name(struct wacom *wacom, const char *suffix)
>  		} else if (strstr(product_name, "Wacom") ||
>  			   strstr(product_name, "wacom") ||
>  			   strstr(product_name, "WACOM")) {
> -			strscpy(name, product_name, sizeof(name));
> +			if (strscpy(name, product_name, sizeof(name)) < 0) {
> +				hid_warn(wacom->hdev, "String overflow while assembling device name");
> +			}
>  		} else {
>  			snprintf(name, sizeof(name), "Wacom %s", product_name);
>  		}
> @@ -2242,7 +2244,9 @@ static void wacom_update_name(struct wacom *wacom, const char *suffix)
>  		if (name[strlen(name)-1] == ' ')
>  			name[strlen(name)-1] = '\0';
>  	} else {
> -		strscpy(name, features->name, sizeof(name));
> +		if (strscpy(name, features->name, sizeof(name)) < 0) {
> +			hid_warn(wacom->hdev, "String overflow while assembling device name");
> +		}
>  	}
>  
>  	snprintf(wacom_wac->name, sizeof(wacom_wac->name), "%s%s",
> @@ -2500,8 +2504,10 @@ static void wacom_wireless_work(struct work_struct *work)
>  				goto fail;
>  		}
>  
> -		strscpy(wacom_wac->name, wacom_wac1->name,
> -			sizeof(wacom_wac->name));
> +		if (strscpy(wacom_wac->name, wacom_wac1->name,
> +			sizeof(wacom_wac->name)) < 0) {
> +			hid_warn(wacom->hdev, "String overflow while assembling device name");
> +		}
>  	}
>  
>  	return;
> -- 
> 2.40.0
>
Jiri Kosina May 23, 2023, 1:07 p.m. UTC | #3 
On Fri, 14 Apr 2023, Jason Gerecke wrote:

> From: Jason Gerecke <killertofu@gmail.com>
> 
> The strscpy function is able to return an error code when a copy would
> overflow the size of the destination. The copy is stopped and the buffer
> terminated before overflow actually occurs so it is safe to continue
> execution, but we should still produce a warning should this occur.
> 
> Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
> Reviewed-by: Ping Cheng <ping.cheng@wacom.com>

Now applied, sorry for the delay.
diff mbox series

Patch

diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
index 8214896adadad..7192970d199a0 100644
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -2224,7 +2224,9 @@  static void wacom_update_name(struct wacom *wacom, const char *suffix)
 		} else if (strstr(product_name, "Wacom") ||
 			   strstr(product_name, "wacom") ||
 			   strstr(product_name, "WACOM")) {
-			strscpy(name, product_name, sizeof(name));
+			if (strscpy(name, product_name, sizeof(name)) < 0) {
+				hid_warn(wacom->hdev, "String overflow while assembling device name");
+			}
 		} else {
 			snprintf(name, sizeof(name), "Wacom %s", product_name);
 		}
@@ -2242,7 +2244,9 @@  static void wacom_update_name(struct wacom *wacom, const char *suffix)
 		if (name[strlen(name)-1] == ' ')
 			name[strlen(name)-1] = '\0';
 	} else {
-		strscpy(name, features->name, sizeof(name));
+		if (strscpy(name, features->name, sizeof(name)) < 0) {
+			hid_warn(wacom->hdev, "String overflow while assembling device name");
+		}
 	}
 
 	snprintf(wacom_wac->name, sizeof(wacom_wac->name), "%s%s",
@@ -2500,8 +2504,10 @@  static void wacom_wireless_work(struct work_struct *work)
 				goto fail;
 		}
 
-		strscpy(wacom_wac->name, wacom_wac1->name,
-			sizeof(wacom_wac->name));
+		if (strscpy(wacom_wac->name, wacom_wac1->name,
+			sizeof(wacom_wac->name)) < 0) {
+			hid_warn(wacom->hdev, "String overflow while assembling device name");
+		}
 	}
 
 	return;