redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity

staging: tidspbridge: fix potential array out of bounds write 

The name of the firmware (drv_datap->base_img) could potentially
become equal to 255 valid characters (size of exec_file), this
will result in an out of bounds write, given that the 255 chars
along with a '\0' terminator will be copied into an array of
255 chars.

Produce an error on this cases, because the driver expects the NULL
ending to be among the 255 char limit.

Reported-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@copitl.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
hifive-unleashed-5.1
Omar Ramirez Luna 2013-01-10 03:36:58 -06:00 committed by Greg Kroah-Hartman
parent f14287b967
commit 7c256647b5
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/staging/tidspbridge/rmgr/proc.c
View File

@ -394,7 +394,7 @@ static int get_exec_file(struct cfg_devnode *dev_node_obj,
if (!drv_datap || !drv_datap->base_img)
return -EFAULT;
if (strlen(drv_datap->base_img) > size)
if (strlen(drv_datap->base_img) >= size)
return -EINVAL;
strcpy(exec_file, drv_datap->base_img);