From 1240d01e09fd4d3a351d3d14c5ebed2761c16ad5 Mon Sep 17 00:00:00 2001
From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Date: Fri, 22 Dec 2017 11:53:26 +0530
Subject: [PATCH] msm: camera: Prevent buffer overread in write_logsync.

If userspace issues write with string of length 21 or more then
there is a chance that kernel will overread lbuf array.
This change makes sure that lbuf is NULL terminated.

Change-Id: I9ad6d5a607b2ff1f293512be9746ee554b076b10
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
---
 drivers/media/platform/msm/camera_v2/msm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/msm/camera_v2/msm.c b/drivers/media/platform/msm/camera_v2/msm.c
index 6a969401e950..60532929a916 100644
--- a/drivers/media/platform/msm/camera_v2/msm.c
+++ b/drivers/media/platform/msm/camera_v2/msm.c
@@ -1288,7 +1288,7 @@ static ssize_t write_logsync(struct file *file, const char __user *buf,
 	uint64_t seq_num = 0;
 	int ret;
 
-	if (copy_from_user(lbuf, buf, sizeof(lbuf)))
+	if (copy_from_user(lbuf, buf, sizeof(lbuf) - 1))
 		return -EFAULT;
 
 	ret = sscanf(lbuf, "%llu", &seq_num);