All of lore.kernel.org
 help / color / mirror / Atom feed
From: Chen Gang <gang.chen@asianux.com>
To: Omar Ramirez Luna <omar.ramirez@copitl.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: [Suggestion] drivers/staging/tidspbridge:  strcpy and strncpy,  src length checking issue.
Date: Fri, 14 Dec 2012 11:50:10 +0800	[thread overview]
Message-ID: <50CAA1F2.9000003@asianux.com> (raw)

Hello Omar Ramirez Luna:

  in drivers/staging/tidspbridge/rmgr/proc.c:

    if strlen(drv_datap->base_img) == size, will pass checking (line 397)
    the size is the full length of exec_file (line 382, line 468..469)
    strcpy causes issue: src len is strlen(drv_datap->base_img) + '\0'. (line 400)

    strncpy seems also has issue: need use size instead of strlen(iva_img) + 1. (line 402..403)

  please help to check, thanks.

gchen.


 380 static int get_exec_file(struct cfg_devnode *dev_node_obj,
 381                                 struct dev_object *hdev_obj,
 382                                 u32 size, char *exec_file)
 383 {
 384         u8 dev_type;
 385         s32 len;
 386         struct drv_data *drv_datap = dev_get_drvdata(bridge);
 387 
 388         dev_get_dev_type(hdev_obj, (u8 *) &dev_type);
 389 
 390         if (!exec_file)
 391                 return -EFAULT;
 392 
 393         if (dev_type == DSP_UNIT) {
 394                 if (!drv_datap || !drv_datap->base_img)
 395                         return -EFAULT;
 396 
 397                 if (strlen(drv_datap->base_img) > size)
 398                         return -EINVAL;
 399 
 400                 strcpy(exec_file, drv_datap->base_img);
 401         } else if (dev_type == IVA_UNIT && iva_img) {
 402                 len = strlen(iva_img);
 403                 strncpy(exec_file, iva_img, len + 1);
 404         } else {
 405                 return -ENOENT;
 406         }
 407 
 408         return 0;
 409 }
 410 
 ...

 465         /* Get the default executable for this board... */
 466         dev_get_dev_type(hdev_obj, (u8 *) &dev_type);
 467         p_proc_object->processor_id = dev_type;
 468         status = get_exec_file(dev_node_obj, hdev_obj, sizeof(sz_exec_file),
 469                                sz_exec_file);


             reply	other threads:[~2012-12-14  3:49 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-12-14  3:50 Chen Gang [this message]
2012-12-18  2:40 ` [Suggestion] drivers/staging/tidspbridge: strcpy and strncpy, src length checking issue Chen Gang
2012-12-18  5:03   ` Chen Gang
2012-12-24 14:27   ` Omar Ramirez Luna
2012-12-26  1:54     ` Chen Gang
2012-12-31  3:28 ` Chen Gang
2013-01-05 11:16   ` Omar Ramirez Luna
2013-01-05 11:17 ` Omar Ramirez Luna
2013-01-05 11:24   ` Chen Gang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=50CAA1F2.9000003@asianux.com \
    --to=gang.chen@asianux.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=omar.ramirez@copitl.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.