bt: audio: shell: Fix possible buffer overflow

Check the size of the search argument in cmd_media_set_search before copying it. (cherry picked from commit e55af04) Original-Signed-off-by: Flavio Ceolin <[email protected]> GitOrigin-RevId: e55af04 Change-Id: Ibb502b3e8cfdc5738564acc063dcf79be66daf40 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/zephyr/+/4704779 Tested-by: ChromeOS Prod (Robot) <[email protected]> Reviewed-by: Fabio Baltieri <[email protected]> Tested-by: Fabio Baltieri <[email protected]> Commit-Queue: Fabio Baltieri <[email protected]>
coreboot · Jul 20, 2023 · 784ba3a · 784ba3a
1 parent 0e09d11
commit 784ba3a
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/subsys/bluetooth/audio/shell/media_controller.c b/subsys/bluetooth/audio/shell/media_controller.c
@@ -1230,9 +1230,16 @@ static int cmd_media_set_search(const struct shell *sh, size_t argc, char *argv[
 	 */
 
 	struct mpl_search search;
+	size_t len;
 	int err;
 
-	search.len = strlen(argv[1]);
+	len = strlen(argv[1]);
+	if (len > sizeof(search.search)) {
+		shell_print(sh, "Fail: Invalid argument");
+		return -EINVAL;
+	}
+
+	search.len = len;
 	memcpy(search.search, argv[1], search.len);
 	LOG_DBG("Search string: %s", argv[1]);