[PATCH net-next] net: ncsi: Fix buffer overflow in fetching version id

[PATCH net-next] net: ncsi: Fix buffer overflow in fetching version id

[kalavakunta.hari.prasad]

From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>

In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
need to be null terminated while its size occupies the full size
of the field. Fix the buffer overflow issue by adding one
additional byte for null terminator.

Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
---
 net/ncsi/internal.h | 2 +-
 net/ncsi/ncsi-rsp.c | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
index e76c6de0c784..adee6dcabdc3 100644
--- a/net/ncsi/internal.h
+++ b/net/ncsi/internal.h
@@ -110,7 +110,7 @@ struct ncsi_channel_version {
 	u8   update;		/* NCSI version update */
 	char alpha1;		/* NCSI version alpha1 */
 	char alpha2;		/* NCSI version alpha2 */
-	u8  fw_name[12];	/* Firmware name string                */
+	u8  fw_name[12 + 1];	/* Firmware name string                */
 	u32 fw_version;		/* Firmware version                   */
 	u16 pci_ids[4];		/* PCI identification                 */
 	u32 mf_id;		/* Manufacture ID                     */
diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 472cc68ad86f..271ec6c3929e 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -775,6 +775,7 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr)
 	ncv->alpha1 = rsp->alpha1;
 	ncv->alpha2 = rsp->alpha2;
 	memcpy(ncv->fw_name, rsp->fw_name, 12);
+	ncv->fw_name[12] = '\0';
 	ncv->fw_version = ntohl(rsp->fw_version);
 	for (i = 0; i < ARRAY_SIZE(ncv->pci_ids); i++)
 		ncv->pci_ids[i] = ntohs(rsp->pci_ids[i]);
-- 
2.47.1

Re: [PATCH net-next] net: ncsi: Fix buffer overflow in fetching version id

[Paul Fertser]

Hello Hari,

On Tue, Jun 10, 2025 at 12:33:38PM -0700, kalavakunta.hari.prasad@gmail.com wrote:
> From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
> 
> In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
> need to be null terminated while its size occupies the full size
> of the field. Fix the buffer overflow issue by adding one
> additional byte for null terminator.
> 
> Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>

You seem to be surprisingly persistent about ignoring my remarks on
your commit message.

So be it, since the code looks correct and reliable, fixes a real life
bug, and actually applies to the right tree now,

Reviewed-by: Paul Fertser <fercerpav@gmail.com>

Re: [PATCH net-next] net: ncsi: Fix buffer overflow in fetching version id

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue, 10 Jun 2025 12:33:38 -0700 you wrote:
> From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
> 
> In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
> need to be null terminated while its size occupies the full size
> of the field. Fix the buffer overflow issue by adding one
> additional byte for null terminator.
> 
> [...]

Here is the summary with links:
  - [net-next] net: ncsi: Fix buffer overflow in fetching version id
    https://git.kernel.org/netdev/net-next/c/8e16170ae972

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html