hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

brcmfmac: Do not use strcpy and strcat 

Commit "c1b2053 brcmfmac: Make firmware path a module parameter"
introduced use of strcpy and strcat. The strcpy and strcat require
using null terminated strings and can cause out-of-bounds memory
access and subsequent corruption. This patch replaces these by
strncpy and strncat respectively to assure array boundaries are
not crossed.

Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Signed-off-by: Daniel Kim <dekim@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
Daniel Kim 2014-07-30 13:20:00 +02:00 committed by John W. Linville
parent 9f0b4cbdee
commit 46de06839b
1 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
View File

@ -670,6 +670,8 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
struct brcmf_sdio_dev *sdiodev)
{
int i;
uint fw_len, nv_len;
char end;
for (i = 0; i < ARRAY_SIZE(brcmf_fwname_data); i++) {
if (brcmf_fwname_data[i].chipid == ci->chip &&
@ -682,16 +684,25 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
return -ENODEV;
}
fw_len = sizeof(sdiodev->fw_name) - 1;
nv_len = sizeof(sdiodev->nvram_name) - 1;
/* check if firmware path is provided by module parameter */
if (brcmf_firmware_path[0] != '\0') {
if (brcmf_firmware_path[strlen(brcmf_firmware_path) - 1] != '/')
strcat(brcmf_firmware_path, "/");
strncpy(sdiodev->fw_name, brcmf_firmware_path, fw_len);
strncpy(sdiodev->nvram_name, brcmf_firmware_path, nv_len);
fw_len -= strlen(sdiodev->fw_name);
nv_len -= strlen(sdiodev->nvram_name);
strcpy(sdiodev->fw_name, brcmf_firmware_path);
strcpy(sdiodev->nvram_name, brcmf_firmware_path);
end = brcmf_firmware_path[strlen(brcmf_firmware_path) - 1];
if (end != '/') {
strncat(sdiodev->fw_name, "/", fw_len);
strncat(sdiodev->nvram_name, "/", nv_len);
fw_len--;
nv_len--;
}
}
strcat(sdiodev->fw_name, brcmf_fwname_data[i].bin);
strcat(sdiodev->nvram_name, brcmf_fwname_data[i].nv);
strncat(sdiodev->fw_name, brcmf_fwname_data[i].bin, fw_len);
strncat(sdiodev->nvram_name, brcmf_fwname_data[i].nv, nv_len);
return 0;
}