Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ed0acfb0 authored by Yue Ma's avatar Yue Ma
Browse files

cnss2: NULL terminate FW build ID string 



If FW build ID passed by QMI from firmware is a non-NULL terminated
string, it will result in a out-of-bounds read when driver populates
the QMI message using strlcpy where the src string must be NULL
terminated. Hence manually NULL terminate the string.

Change-Id: I8e27c01eae79e56afd1a706d071b4ccfa51d79e0
Signed-off-by: default avatarYue Ma <yuem@codeaurora.org>
parent 7764f1a9

drivers/net/wireless/cnss2/qmi.c

+4 −2
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/* Copyright (c) 2015-2019, The Linux Foundation. All rights reserved. */

/* Copyright (c) 2015-2020, The Linux Foundation. All rights reserved. */



#include <linux/firmware.h>

#include <linux/module.h>
@@ -404,9 +404,11 @@ int cnss_wlfw_tgt_cap_send_sync(struct cnss_plat_data *plat_priv) 
			resp->fw_version_info.fw_build_timestamp,

			QMI_WLFW_MAX_TIMESTAMP_LEN + 1);

	}

	if (resp->fw_build_id_valid)

	if (resp->fw_build_id_valid) {

		resp->fw_build_id[QMI_WLFW_MAX_BUILD_ID_LEN] = '\0';

		strlcpy(plat_priv->fw_build_id, resp->fw_build_id,

			QMI_WLFW_MAX_BUILD_ID_LEN + 1);

	}

	if (resp->voltage_mv_valid) {

		plat_priv->cpr_info.voltage = resp->voltage_mv;

		cnss_pr_dbg("Voltage for CPR: %dmV\n",