On 6/8/26 11:55 AM, [email protected] wrote:
> From: David Laight <[email protected]>
>
> Nothing obvious ensures that the name is less than GLINK_CMD_OPEN (32)
^ GLINK_NAME_SIZE
[...]
> @@ -481,8 +481,7 @@ static int qcom_glink_send_open_req(struct qcom_glink
> *glink,
> struct glink_channel *channel)
> {
> DEFINE_RAW_FLEX(struct glink_msg, req, data, GLINK_NAME_SIZE);
> - int name_len = strlen(channel->name) + 1;
> - int req_len = ALIGN(sizeof(*req) + name_len, 8);
> + int name_len, req_len;
> int ret;
> unsigned long flags;
>
> @@ -498,14 +497,20 @@ static int qcom_glink_send_open_req(struct qcom_glink
> *glink,
>
> channel->lcid = ret;
>
> + name_len = strscpy_pad(req->data, channel->name, GLINK_NAME_SIZE);
> + if (name_len < 0)
> + name_len = GLINK_NAME_SIZE;
> + else
> + name_len++;
Should we perhaps do something along the lines of:
WARN_ON(strlen(name) > GLINK_NAME_SIZE)
to prevent silent clipping?
Konrad
