Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 46de0683 authored by Daniel Kim's avatar Daniel Kim Committed by John W. Linville
Browse files

brcmfmac: Do not use strcpy and strcat 



Commit "c1b20532 brcmfmac: Make firmware path a module parameter"
introduced use of strcpy and strcat. The strcpy and strcat require
using null terminated strings and can cause out-of-bounds memory
access and subsequent corruption. This patch replaces these by
strncpy and strncat respectively to assure array boundaries are
not crossed.

Reviewed-by: default avatarPieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: default avatarArend Van Spriel <arend@broadcom.com>
Signed-off-by: default avatarDaniel Kim <dekim@broadcom.com>
Signed-off-by: default avatarArend van Spriel <arend@broadcom.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 9f0b4cbd

drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c

+18 −7
Original line number Original line Diff line number Diff line
@@ -670,6 +670,8 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci, 
				  struct brcmf_sdio_dev *sdiodev)

				  struct brcmf_sdio_dev *sdiodev)

{

{

	int i;

	int i;

	uint fw_len, nv_len;

	char end;





	for (i = 0; i < ARRAY_SIZE(brcmf_fwname_data); i++) {

	for (i = 0; i < ARRAY_SIZE(brcmf_fwname_data); i++) {

		if (brcmf_fwname_data[i].chipid == ci->chip &&

		if (brcmf_fwname_data[i].chipid == ci->chip &&
@@ -682,16 +684,25 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci, 
		return -ENODEV;

		return -ENODEV;

	}

	}





	fw_len = sizeof(sdiodev->fw_name) - 1;

	nv_len = sizeof(sdiodev->nvram_name) - 1;

	/* check if firmware path is provided by module parameter */

	/* check if firmware path is provided by module parameter */

	if (brcmf_firmware_path[0] != '\0') {

	if (brcmf_firmware_path[0] != '\0') {

		if (brcmf_firmware_path[strlen(brcmf_firmware_path) - 1] != '/')

		strncpy(sdiodev->fw_name, brcmf_firmware_path, fw_len);

			strcat(brcmf_firmware_path, "/");

		strncpy(sdiodev->nvram_name, brcmf_firmware_path, nv_len);

		fw_len -= strlen(sdiodev->fw_name);

		nv_len -= strlen(sdiodev->nvram_name);





		strcpy(sdiodev->fw_name, brcmf_firmware_path);

		end = brcmf_firmware_path[strlen(brcmf_firmware_path) - 1];

		strcpy(sdiodev->nvram_name, brcmf_firmware_path);

		if (end != '/') {

			strncat(sdiodev->fw_name, "/", fw_len);

			strncat(sdiodev->nvram_name, "/", nv_len);

			fw_len--;

			nv_len--;

		}

		}

	strcat(sdiodev->fw_name, brcmf_fwname_data[i].bin);

	}

	strcat(sdiodev->nvram_name, brcmf_fwname_data[i].nv);

	strncat(sdiodev->fw_name, brcmf_fwname_data[i].bin, fw_len);

	strncat(sdiodev->nvram_name, brcmf_fwname_data[i].nv, nv_len);





	return 0;

	return 0;

}

}