Commit 7c256647 authored by Omar Ramirez Luna's avatar Omar Ramirez Luna Committed by Greg Kroah-Hartman

staging: tidspbridge: fix potential array out of bounds write

The name of the firmware (drv_datap->base_img) could potentially
become equal to 255 valid characters (size of exec_file), this
will result in an out of bounds write, given that the 255 chars
along with a '\0' terminator will be copied into an array of
255 chars.

Produce an error on this cases, because the driver expects the NULL
ending to be among the 255 char limit.
Reported-by: default avatarChen Gang <gang.chen@asianux.com>
Signed-off-by: default avatarOmar Ramirez Luna <omar.ramirez@copitl.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent f14287b9
...@@ -394,7 +394,7 @@ static int get_exec_file(struct cfg_devnode *dev_node_obj, ...@@ -394,7 +394,7 @@ static int get_exec_file(struct cfg_devnode *dev_node_obj,
if (!drv_datap || !drv_datap->base_img) if (!drv_datap || !drv_datap->base_img)
return -EFAULT; return -EFAULT;
if (strlen(drv_datap->base_img) > size) if (strlen(drv_datap->base_img) >= size)
return -EINVAL; return -EINVAL;
strcpy(exec_file, drv_datap->base_img); strcpy(exec_file, drv_datap->base_img);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment