git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Mikulas Patocka <mpatocka@redhat.com>
	Wed, 27 Apr 2022 15:26:40 +0000 (11:26 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 12 May 2022 10:20:20 +0000 (12:20 +0200)
commit	a4981bed962f82513c878f87dc9affd157ee7cb9
tree	f242c09d604f86ca4f80b028ceb483f91c028081	tree \| snapshot
parent	0f509c4428833884024dcb29a69a05effe3aaf3d	commit \| diff

hex2bin: fix access beyond string end

commit e4d8a29997731b3bb14059024b24df9f784288d0 upstream.

If we pass too short string to "hex2bin" (and the string size without
the terminating NUL character is even), "hex2bin" reads one byte after
the terminating NUL character. This patch fixes it.

Note that hex_to_bin returns -1 on error and hex2bin return -EINVAL on
error - so we can't just return the variable "hi" or "lo" on error.
This inconsistency may be fixed in the next merge window, but for the
purpose of fixing this bug, we just preserve the existing behavior and
return -1 and -EINVAL.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Fixes: b78049831ffe ("lib: add error checking to hex2bin")
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>