Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e47af4fa authored by Yue Ma's avatar Yue Ma Committed by Gerrit - the friendly Code Review server
Browse files

cnss2: NULL terminate fw build timestamp string 



If fw build timestamp passed by QMI from firmware is a non-NULL
terminated string, it might result in a out-of-bounds read when
driver parses the QMI message. Hence manually NULL terminate the
string.

Change-Id: I3597df1a8f69824695443880b161d028b63f9af5
Signed-off-by: default avatarYue Ma <yuem@codeaurora.org>
parent 9812e86a

drivers/net/wireless/cnss2/qmi.c

+3 −0
Original line number Diff line number Diff line
@@ -312,6 +312,7 @@ int cnss_wlfw_tgt_cap_send_sync(struct cnss_plat_data *plat_priv) 
	struct wlfw_cap_req_msg_v01 *req;

	struct wlfw_cap_resp_msg_v01 *resp;

	struct qmi_txn txn;

	char *fw_build_timestamp;

	int ret = 0;



	cnss_pr_dbg("Sending target capability message, state: 0x%lx\n",
@@ -373,6 +374,8 @@ int cnss_wlfw_tgt_cap_send_sync(struct cnss_plat_data *plat_priv) 
	if (resp->fw_version_info_valid) {

		plat_priv->fw_version_info.fw_version =

			resp->fw_version_info.fw_version;

		fw_build_timestamp = resp->fw_version_info.fw_build_timestamp;

		fw_build_timestamp[QMI_WLFW_MAX_TIMESTAMP_LEN] = '\0';

		strlcpy(plat_priv->fw_version_info.fw_build_timestamp,

			resp->fw_version_info.fw_build_timestamp,

			QMI_WLFW_MAX_TIMESTAMP_LEN + 1);