From e68bb299beffc811031e01acad6efe09f6de3b8a Mon Sep 17 00:00:00 2001 From: jmestwa-coder Date: Sun, 21 Jun 2026 13:24:58 +0530 Subject: [PATCH] tools: testbench: bound control name and value copies in tb_parse_amixer tb_parse_amixer() copies the control name and value parsed from a control-script line into two fixed 128-byte stack buffers (control_name, control_params) via memcpy. The copy length is derived from the quote delimiter pointers with no upper bound: - control_name: len = end_str - name_str - find_len, taken from the cset name="..." quotes and never capped to TB_MAX_CTL_NAME_CHARS - control_params: same unchecked length for the value after the closing quote A script line whose name or value exceeds the buffer overflows the stack. The sibling tb_parse_sofctl() parses the same shape safely with strndup(). Reject over-length fields before each memcpy. Signed-off-by: jmestwa-coder --- tools/testbench/utils.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tools/testbench/utils.c b/tools/testbench/utils.c index 597e3aaa043d..91c08c62aab1 100644 --- a/tools/testbench/utils.c +++ b/tools/testbench/utils.c @@ -368,10 +368,18 @@ static int tb_parse_amixer(struct testbench_prm *tp, char *line) } len = end_str - name_str - find_len; + if (len < 0 || len >= TB_MAX_CTL_NAME_CHARS) { + fprintf(stderr, "error: control name too long in script line: %s\n", line); + return -EINVAL; + } memcpy(control_name, name_str + find_len, len); line_end = line + strlen(line); len = line_end - end_str - find_end_len; + if (len < 0 || len >= TB_MAX_CTL_NAME_CHARS) { + fprintf(stderr, "error: control value too long in script line: %s\n", line); + return -EINVAL; + } memcpy(control_params, &end_str[find_end_len], len); printf("Info: Setting control name '%s' to value (%s)\n", control_name, control_params);