From: Jeremie Courreges-Anglas <jca@wxcvbn.org>
Subject: Re: qciic: fix out-of-bounds read
To: Marcus Glocker <marcus@nazgul.ch>
Cc: tech@openbsd.org, Mark Kettenis <mark.kettenis@xs4all.nl>
Date: Sun, 24 May 2026 11:20:48 +0200

On Sat, May 23, 2026 at 11:21:08PM +0200, Marcus Glocker wrote:
> While working on a new driver, I've noticed that qciic wouldn't NULL
> terminate a compatible string with a length of => 32 bytes, leading
> to an out-of-bounds read later on:
> 
> "samsung,galaxybook-kbd-backlighth\^A\M^_$\M^@\M^?\M^?\M^?b" at iic3 addr 0x62 not configured
> 
> To fix this, the following diff does basically mimic apliic_bus_scan()
> which works with malloc() for the compatible string instead.
> 
> As a side effect I also noticed that ia_namelen doesn't get set today,
> which could cause issues to match an secondary fallback string.
> 
> After the diff:
> 
> "samsung,galaxybook-kbd-backlight" at iic3 addr 0x62 not configured
> 
> Ok?

LGTM, ok jca@

-- 
jca