platform/x86: hp-bioscfg: prevent a small buffer overflow

This function escapes certain special characters like \n.  So if the
last character in the string is a '\n' then it gets changed into two
characters '\' and '\n'.  But maybe we only have space for the '\' so
we need to check for that.

The "conv_dst_size" variable is always less than or to equal the "size"
variable.  It's easier to just check "conv_dst_size" instead of checking
both.

Fixes: a34fc329b189 ("platform/x86: hp-bioscfg: bioscfg")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/b4950310-e65f-412f-8d2b-90bb074a6572@moroto.mountain
Reviewed-by: Jorge Lopez <jorge.lopez2@hp.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
index b0a94640ff6f..32d9c36ca553 100644
--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
@@ -94,12 +94,15 @@ int hp_get_string_from_buffer(u8 **buffer, u32 *buffer_size, char *dst, u32 dst_
 	utf16s_to_utf8s(src, src_size, UTF16_HOST_ENDIAN, dst, conv_dst_size);
 	dst[conv_dst_size] = 0;
 
-	for (i = 0; i < size && i < conv_dst_size; i++) {
+	for (i = 0; i < conv_dst_size; i++) {
 		if (*src == '\\' ||
 		    *src == '\r' ||
 		    *src == '\n' ||
-		    *src == '\t')
+		    *src == '\t') {
 			dst[i++] = '\\';
+			if (i == conv_dst_size)
+				break;
+		}
 
 		if (*src == '\r')
 			dst[i] = 'r';