iio: backend: fix out-of-bound write

The buffer is set to 80 character. If a caller write more characters,
count is truncated to the max available space in "simple_write_to_buffer".
But afterwards a string terminator is written to the buffer at offset count
without boundary check. The zero termination is written OUT-OF-BOUND.

Add a check that the given buffer is smaller then the buffer to prevent.

Fixes: 035b4989211d ("iio: backend: make sure to NULL terminate stack buffer")
Signed-off-by: Markus Burri <markus.burri@mt.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Link: https://patch.msgid.link/20250508130612.82270-2-markus.burri@mt.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

diff --git a/drivers/iio/industrialio-backend.c b/drivers/iio/industrialio-backend.c
index c1eb9ef9db08aec8437d0d00cf77914ad6611b72..266e1b29bf91141551e3602aeee47f5d32e4bc17 100644 (file)
--- a/drivers/iio/industrialio-backend.c
+++ b/drivers/iio/industrialio-backend.c
@@ -155,11 +155,14 @@ static ssize_t iio_backend_debugfs_write_reg(struct file *file,
        ssize_t rc;
        int ret;
 
+       if (count >= sizeof(buf))
+               return -ENOSPC;
+
        rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count);
        if (rc < 0)
                return rc;
 
-       buf[count] = '\0';
+       buf[rc] = '\0';
 
        ret = sscanf(buf, "%i %i", &back->cached_reg_addr, &val);