backlight: Fix security issues in handling of the interface path name.

- don't allow '/' in the interface name to avoid escaping the /sys hierarchy - check snprintf() return value for overflow. Problems reported by Adam Sampson. Thanks. Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Reviewed-by: Hans de Goede <hdegoede@redhat.com>
author: Matthieu Herrb <matthieu@herrb.eu> 2014-07-04 18:26:09 +0200
committer: Chris Wilson <chris@chris-wilson.co.uk> 2014-07-04 20:33:29 +0100
commit: 8fa22964f69d3ec8700f177dd7cb3cbc396a9f35 (patch)
tree: 3be1162aee548261ba022560b0cfb625a5ff4b68
parent: 6a64a3ae55ad5f743d2b7a4852b6ca7b54d2a142 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/tools/backlight_helper.c b/tools/backlight_helper.c
index 11abebc2..24958ec6 100644
--- a/tools/backlight_helper.c
+++ b/tools/backlight_helper.c
@@ -17,7 +17,15 @@ int main(int argc, char *argv[])
 		return 1;
 	}
 
-	snprintf(buf, sizeof(buf), "/sys/class/backlight/%s/brightness", argv[1]);
+	if (strchr(argv[1], '/') != NULL) {
+		fprintf(stderr, "Invalid interface name\n");
+		return 1;
+	}
+	if (snprintf(buf, sizeof(buf), "/sys/class/backlight/%s/brightness",
+		argv[1]) >= sizeof(buf)) {
+		fprintf(stderr, "Interface name is too long\n");
+		return 1;
+	}
 	fd = open(buf, O_RDWR);
 	if (fd < 0 || fstat(fd, &st) || major(st.st_dev)) {
 		fprintf(stderr, "Cannot access backlight interface '%s'\n", argv[1]);
author	Matthieu Herrb <matthieu@herrb.eu>	2014-07-04 18:26:09 +0200
committer	Chris Wilson <chris@chris-wilson.co.uk>	2014-07-04 20:33:29 +0100
commit	8fa22964f69d3ec8700f177dd7cb3cbc396a9f35 (patch)
tree	3be1162aee548261ba022560b0cfb625a5ff4b68
parent	6a64a3ae55ad5f743d2b7a4852b6ca7b54d2a142 (diff)