tools: testbench: bound control name and value copies in tb_parse_amixer

jmestwa-coder · jmestwa-coder · commit e68bb299beff · 2026-06-22T19:30:07.000+05:30
tb_parse_amixer() copies the control name and value parsed from a
control-script line into two fixed 128-byte stack buffers (control_name,
control_params) via memcpy. The copy length is derived from the quote
delimiter pointers with no upper bound:

- control_name: len = end_str - name_str - find_len, taken from the
  cset name="..." quotes and never capped to TB_MAX_CTL_NAME_CHARS
- control_params: same unchecked length for the value after the closing
  quote

A script line whose name or value exceeds the buffer overflows the
stack. The sibling tb_parse_sofctl() parses the same shape safely with
strndup(). Reject over-length fields before each memcpy.

Signed-off-by: jmestwa-coder &lt;jmestwa@gmail.com&gt;
diff --git a/tools/testbench/utils.c b/tools/testbench/utils.c
@@ -368,10 +368,18 @@ static int tb_parse_amixer(struct testbench_prm *tp, char *line)
 	}
 
 	len = end_str - name_str - find_len;
+	if (len < 0 || len >= TB_MAX_CTL_NAME_CHARS) {
+		fprintf(stderr, "error: control name too long in script line: %s\n", line);
+		return -EINVAL;
+	}
 	memcpy(control_name, name_str + find_len, len);
 
 	line_end = line + strlen(line);
 	len = line_end - end_str - find_end_len;
+	if (len < 0 || len >= TB_MAX_CTL_NAME_CHARS) {
+		fprintf(stderr, "error: control value too long in script line: %s\n", line);
+		return -EINVAL;
+	}
 	memcpy(control_params, &end_str[find_end_len], len);
 
 	printf("Info: Setting control name '%s' to value (%s)\n", control_name, control_params);
