Skip to content

Commit 46de068

Browse files
Daniel Kimlinvjw
Daniel Kim
authored and
linvjw
committed
brcmfmac: Do not use strcpy and strcat
Commit "c1b2053 brcmfmac: Make firmware path a module parameter" introduced use of strcpy and strcat. The strcpy and strcat require using null terminated strings and can cause out-of-bounds memory access and subsequent corruption. This patch replaces these by strncpy and strncat respectively to assure array boundaries are not crossed. Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com> Reviewed-by: Arend Van Spriel <arend@broadcom.com> Signed-off-by: Daniel Kim <dekim@broadcom.com> Signed-off-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
1 parent 9f0b4cb commit 46de068

File tree

1 file changed

+18
-7
lines changed

1 file changed

+18
-7
lines changed

drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -670,6 +670,8 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
670670
struct brcmf_sdio_dev *sdiodev)
671671
{
672672
int i;
673+
uint fw_len, nv_len;
674+
char end;
673675

674676
for (i = 0; i < ARRAY_SIZE(brcmf_fwname_data); i++) {
675677
if (brcmf_fwname_data[i].chipid == ci->chip &&
@@ -682,16 +684,25 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
682684
return -ENODEV;
683685
}
684686

687+
fw_len = sizeof(sdiodev->fw_name) - 1;
688+
nv_len = sizeof(sdiodev->nvram_name) - 1;
685689
/* check if firmware path is provided by module parameter */
686690
if (brcmf_firmware_path[0] != '\0') {
687-
if (brcmf_firmware_path[strlen(brcmf_firmware_path) - 1] != '/')
688-
strcat(brcmf_firmware_path, "/");
689-
690-
strcpy(sdiodev->fw_name, brcmf_firmware_path);
691-
strcpy(sdiodev->nvram_name, brcmf_firmware_path);
691+
strncpy(sdiodev->fw_name, brcmf_firmware_path, fw_len);
692+
strncpy(sdiodev->nvram_name, brcmf_firmware_path, nv_len);
693+
fw_len -= strlen(sdiodev->fw_name);
694+
nv_len -= strlen(sdiodev->nvram_name);
695+
696+
end = brcmf_firmware_path[strlen(brcmf_firmware_path) - 1];
697+
if (end != '/') {
698+
strncat(sdiodev->fw_name, "/", fw_len);
699+
strncat(sdiodev->nvram_name, "/", nv_len);
700+
fw_len--;
701+
nv_len--;
702+
}
692703
}
693-
strcat(sdiodev->fw_name, brcmf_fwname_data[i].bin);
694-
strcat(sdiodev->nvram_name, brcmf_fwname_data[i].nv);
704+
strncat(sdiodev->fw_name, brcmf_fwname_data[i].bin, fw_len);
705+
strncat(sdiodev->nvram_name, brcmf_fwname_data[i].nv, nv_len);
695706

696707
return 0;
697708
}

0 commit comments

Comments
 (0)