[PATCH v2] nfc: pn544: i2c: Replace strcpy() with strscpy()

[PATCH v2] nfc: pn544: i2c: Replace strcpy() with strscpy()

[tomasz.unger]

From: Tomasz Unger <tomasz.unger@yahoo.pl>

strcpy() does not limit the number of bytes copied which can lead to
buffer overflow when firmware_name is derived from user input via
NFC subsystem. This is a bug fix, not a cleanup.

Replace with strscpy() which limits the copy to the size of the
destination buffer. Since phy->firmware_name is an array, the
two-argument variant of strscpy() is used - the compiler deduces
the buffer size automatically.

Fixes: 06c660340f1e ("NFC: pn544: i2c: Add firmware download implementation for pn544")
Signed-off-by: Tomasz Unger <tomasz.unger@yahoo.pl>
---
Changes since v1 (requested by Simon Horman <horms@kernel.org>):
- Use two-argument strscpy() since phy->firmware_name is an array
    
Testing:
- checkpatch.pl: 0 errors, 0 warnings
- make drivers/nfc/pn544/: compiled successfully, 0 errors, 0 warnings
- Module loaded successfully in QEMU (x86_64) with buildroot:
  insmod pn544.ko - no errors, confirmed via lsmod

 drivers/nfc/pn544/i2c.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nfc/pn544/i2c.c b/drivers/nfc/pn544/i2c.c
index a0dfb3f98d5a..b31b5bef7187 100644
--- a/drivers/nfc/pn544/i2c.c
+++ b/drivers/nfc/pn544/i2c.c
@@ -526,7 +526,7 @@ static int pn544_hci_i2c_fw_download(void *phy_id, const char *firmware_name,
 
 	pr_info("Starting Firmware Download (%s)\n", firmware_name);
 
-	strcpy(phy->firmware_name, firmware_name);
+	strscpy(phy->firmware_name, firmware_name);
 
 	phy->hw_variant = hw_variant;
 	phy->fw_work_state = FW_WORK_STATE_START;
-- 
2.53.0

Re: [PATCH v2] nfc: pn544: i2c: Replace strcpy() with strscpy()

[Simon Horman]

On Wed, Feb 25, 2026 at 06:27:15PM +0100, tomasz.unger@yahoo.pl wrote:
> From: Tomasz Unger <tomasz.unger@yahoo.pl>
> 
> strcpy() does not limit the number of bytes copied which can lead to
> buffer overflow when firmware_name is derived from user input via
> NFC subsystem. This is a bug fix, not a cleanup.
> 
> Replace with strscpy() which limits the copy to the size of the
> destination buffer. Since phy->firmware_name is an array, the
> two-argument variant of strscpy() is used - the compiler deduces
> the buffer size automatically.
> 
> Fixes: 06c660340f1e ("NFC: pn544: i2c: Add firmware download implementation for pn544")
> Signed-off-by: Tomasz Unger <tomasz.unger@yahoo.pl>
> ---
> Changes since v1 (requested by Simon Horman <horms@kernel.org>):
> - Use two-argument strscpy() since phy->firmware_name is an array

Thanks for the update.

Reviewed-by: Simon Horman <horms@kernel.org>

Re: [PATCH v2] nfc: pn544: i2c: Replace strcpy() with strscpy()

[Jakub Kicinski]

On Wed, 25 Feb 2026 18:27:15 +0100 tomasz.unger@yahoo.pl wrote:
> This is a bug fix, not a cleanup.

Could you include an example path thru which a firmware_name longer
than the array can reach the driver? On a quick look the input comes
via netlink which sets the max length appropriately.