hidraw: fix number of bytes to copy from uevent in parse_uevent_info (#…

…497) Commit 5c9f147 (#432) replaced a call to strdup with an explicit memcpy to a buffer on the stack. However, it incorrectly used the buffer size, instead of the clamped uevent length, as the argument to memcpy, resulting in reads past the end of uevent: Fix this by using uevent_len as the argument to memcpy. Calling strndupa was considered but abandoned, as it is not standard. Fixes: 5c9f147 (#432) Fixes: 4779d63
libusb · Jan 9, 2023 · 64b778b · 64b778b
1 parent fa8b961
commit 64b778b
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/linux/hid.c b/linux/hid.c
@@ -403,7 +403,7 @@ static int parse_hid_vid_pid_from_uevent(const char *uevent, unsigned *bus_type,
 	size_t uevent_len = strlen(uevent);
 	if (uevent_len > sizeof(tmp) - 1)
 		uevent_len = sizeof(tmp) - 1;
-	memcpy(tmp, uevent, sizeof(tmp));
+	memcpy(tmp, uevent, uevent_len);
 	tmp[uevent_len] = '\0';
 
 	char *saveptr = NULL;
@@ -493,7 +493,7 @@ static int parse_uevent_info(const char *uevent, unsigned *bus_type,
 	size_t uevent_len = strlen(uevent);
 	if (uevent_len > sizeof(tmp) - 1)
 		uevent_len = sizeof(tmp) - 1;
-	memcpy(tmp, uevent, sizeof(tmp));
+	memcpy(tmp, uevent, uevent_len);
 	tmp[uevent_len] = '\0';
 
 	char *saveptr = NULL;