[PATCH 1/8] brcmfmac: Do not use strcpy and strcat

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Arend van Spriel <arend@broadcom.com>
To: "John W. Linville" <linville@tuxdriver.com>
Cc: linux-wireless <linux-wireless@vger.kernel.org>,
	Daniel Kim <dekim@broadcom.com>,
	Arend van Spriel <arend@broadcom.com>
Subject: [PATCH 1/8] brcmfmac: Do not use strcpy and strcat
Date: Wed, 30 Jul 2014 13:20:00 +0200	[thread overview]
Message-ID: <1406719207-5126-2-git-send-email-arend@broadcom.com> (raw)
In-Reply-To: <1406719207-5126-1-git-send-email-arend@broadcom.com>

From: Daniel Kim <dekim@broadcom.com>

Commit "c1b2053 brcmfmac: Make firmware path a module parameter"
introduced use of strcpy and strcat. The strcpy and strcat require
using null terminated strings and can cause out-of-bounds memory
access and subsequent corruption. This patch replaces these by
strncpy and strncat respectively to assure array boundaries are
not crossed.

Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Signed-off-by: Daniel Kim <dekim@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
---
 drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c | 25 ++++++++++++++++------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
index 67d91d5..f55f625 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
@@ -670,6 +670,8 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
 				  struct brcmf_sdio_dev *sdiodev)
 {
 	int i;
+	uint fw_len, nv_len;
+	char end;
 
 	for (i = 0; i < ARRAY_SIZE(brcmf_fwname_data); i++) {
 		if (brcmf_fwname_data[i].chipid == ci->chip &&
@@ -682,16 +684,25 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
 		return -ENODEV;
 	}
 
+	fw_len = sizeof(sdiodev->fw_name) - 1;
+	nv_len = sizeof(sdiodev->nvram_name) - 1;
 	/* check if firmware path is provided by module parameter */
 	if (brcmf_firmware_path[0] != '\0') {
-		if (brcmf_firmware_path[strlen(brcmf_firmware_path) - 1] != '/')
-			strcat(brcmf_firmware_path, "/");
-
-		strcpy(sdiodev->fw_name, brcmf_firmware_path);
-		strcpy(sdiodev->nvram_name, brcmf_firmware_path);
+		strncpy(sdiodev->fw_name, brcmf_firmware_path, fw_len);
+		strncpy(sdiodev->nvram_name, brcmf_firmware_path, nv_len);
+		fw_len -= strlen(sdiodev->fw_name);
+		nv_len -= strlen(sdiodev->nvram_name);
+
+		end = brcmf_firmware_path[strlen(brcmf_firmware_path) - 1];
+		if (end != '/') {
+			strncat(sdiodev->fw_name, "/", fw_len);
+			strncat(sdiodev->nvram_name, "/", nv_len);
+			fw_len--;
+			nv_len--;
+		}
 	}
-	strcat(sdiodev->fw_name, brcmf_fwname_data[i].bin);
-	strcat(sdiodev->nvram_name, brcmf_fwname_data[i].nv);
+	strncat(sdiodev->fw_name, brcmf_fwname_data[i].bin, fw_len);
+	strncat(sdiodev->nvram_name, brcmf_fwname_data[i].nv, nv_len);
 
 	return 0;
 }
-- 
1.9.1

next prev parent reply	other threads:[~2014-07-30 11:20 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-07-30 11:19 [PATCH 0/8] brcmfmac: add support for PCIe fullmac devices Arend van Spriel
2014-07-30 11:20 ` Arend van Spriel [this message]
2014-07-30 11:20 ` [PATCH 2/8] brcmfmac: Export brcmf_netif_rx for new protocol msgbuf Arend van Spriel
2014-07-30 11:20 ` [PATCH 3/8] brcmfmac: Add protocol addressing mode and peer deletion API Arend van Spriel
2014-07-30 11:20 ` [PATCH 4/8] brcmfmac: Adding msgbuf protocol Arend van Spriel
2014-07-30 11:20 ` [PATCH 5/8] brcmfmac: Adding PCIe bus layer support Arend van Spriel
2014-07-30 11:20 ` [PATCH 6/8] brcmfmac: Update pcie reset device routine Arend van Spriel
2014-07-30 11:20 ` [PATCH 7/8] brcmfmac: Fix msgbuf flow control Arend van Spriel
2014-07-30 11:20 ` [PATCH 8/8] brcmfmac: Add TDLS support to msgbuf Arend van Spriel

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:67d91d5 dfblob:f55f625 )
 OR (
bs:"[PATCH 1/8] brcmfmac: Do not use strcpy and strcat" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1406719207-5126-2-git-send-email-arend@broadcom.com \
    --to=arend@broadcom.com \
    --cc=dekim@broadcom.com \
    --cc=linux-wireless@vger.kernel.org \
    --cc=linville@tuxdriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).