brcmfmac: Do not use strcpy and strcat

Commit "c1b2053 brcmfmac: Make firmware path a module parameter" introduced use of strcpy and strcat. The strcpy and strcat require using null terminated strings and can cause out-of-bounds memory access and subsequent corruption. This patch replaces these by strncpy and strncat respectively to assure array boundaries are not crossed. Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com> Reviewed-by: Arend Van Spriel <arend@broadcom.com> Signed-off-by: Daniel Kim <dekim@broadcom.com> Signed-off-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Daniel Kim <dekim@broadcom.com> 2014-07-30 07:20:00 -0400
committer: John W. Linville <linville@tuxdriver.com> 2014-07-31 13:41:44 -0400
commit: 46de06839b4936cc5fd4e6638b8fbf8437bce29e (patch)
tree: 108dc393091e191ce8828d228802255b982c149b /drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
parent: 9f0b4cbdee09e635906611ed8dcc5c51116cbd75 (diff)
1 files changed, 18 insertions, 7 deletions
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
index 67d91d5cc13d..f55f625fd06b 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
@@ -670,6 +670,8 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
                                  struct brcmf_sdio_dev *sdiodev)
 {
        int i;
+        uint fw_len, nv_len;
+        char end;
        for (i = 0; i < ARRAY_SIZE(brcmf_fwname_data); i++) {
                if (brcmf_fwname_data[i].chipid == ci->chip &&
@@ -682,16 +684,25 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
                return -ENODEV;
        }
+        fw_len = sizeof(sdiodev->fw_name) - 1;
+        nv_len = sizeof(sdiodev->nvram_name) - 1;
        /* check if firmware path is provided by module parameter */
        if (brcmf_firmware_path[0] != '\0') {
-                if (brcmf_firmware_path[strlen(brcmf_firmware_path) - 1] != '/')
+                strncpy(sdiodev->fw_name, brcmf_firmware_path, fw_len);
-                        strcat(brcmf_firmware_path, "/");
+                strncpy(sdiodev->nvram_name, brcmf_firmware_path, nv_len);
+                fw_len -= strlen(sdiodev->fw_name);
-                strcpy(sdiodev->fw_name, brcmf_firmware_path);
+                nv_len -= strlen(sdiodev->nvram_name);
-                strcpy(sdiodev->nvram_name, brcmf_firmware_path);
+                end = brcmf_firmware_path[strlen(brcmf_firmware_path) - 1];
+                if (end != '/') {
+                        strncat(sdiodev->fw_name, "/", fw_len);
+                        strncat(sdiodev->nvram_name, "/", nv_len);
+                        fw_len--;
+                        nv_len--;
+                }
        }
-        strcat(sdiodev->fw_name, brcmf_fwname_data[i].bin);
+        strncat(sdiodev->fw_name, brcmf_fwname_data[i].bin, fw_len);
-        strcat(sdiodev->nvram_name, brcmf_fwname_data[i].nv);
+        strncat(sdiodev->nvram_name, brcmf_fwname_data[i].nv, nv_len);
        return 0;
 }
author	Daniel Kim <dekim@broadcom.com>	2014-07-30 07:20:00 -0400
committer	John W. Linville <linville@tuxdriver.com>	2014-07-31 13:41:44 -0400
commit	46de06839b4936cc5fd4e6638b8fbf8437bce29e (patch)
tree	108dc393091e191ce8828d228802255b982c149b /drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
parent	9f0b4cbdee09e635906611ed8dcc5c51116cbd75 (diff)

diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c index 67d91d5cc13d..f55f625fd06b 100644 --- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
@@ -670,6 +670,8 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
670	struct brcmf_sdio_dev *sdiodev)	670	struct brcmf_sdio_dev *sdiodev)
671	{	671	{
672	int i;	672	int i;
		673	uint fw_len, nv_len;
		674	char end;
673		675
674	for (i = 0; i < ARRAY_SIZE(brcmf_fwname_data); i++) {	676	for (i = 0; i < ARRAY_SIZE(brcmf_fwname_data); i++) {
675	if (brcmf_fwname_data[i].chipid == ci->chip &&	677	if (brcmf_fwname_data[i].chipid == ci->chip &&
@@ -682,16 +684,25 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
682	return -ENODEV;	684	return -ENODEV;
683	}	685	}
684		686
		687	fw_len = sizeof(sdiodev->fw_name) - 1;
		688	nv_len = sizeof(sdiodev->nvram_name) - 1;
685	/* check if firmware path is provided by module parameter */	689	/* check if firmware path is provided by module parameter */
686	if (brcmf_firmware_path[0] != '\0') {	690	if (brcmf_firmware_path[0] != '\0') {
687	if (brcmf_firmware_path[strlen(brcmf_firmware_path) - 1] != '/')	691	strncpy(sdiodev->fw_name, brcmf_firmware_path, fw_len);
688	strcat(brcmf_firmware_path, "/");	692	strncpy(sdiodev->nvram_name, brcmf_firmware_path, nv_len);
689		693	fw_len -= strlen(sdiodev->fw_name);
690	strcpy(sdiodev->fw_name, brcmf_firmware_path);	694	nv_len -= strlen(sdiodev->nvram_name);
691	strcpy(sdiodev->nvram_name, brcmf_firmware_path);	695
		696	end = brcmf_firmware_path[strlen(brcmf_firmware_path) - 1];
		697	if (end != '/') {
		698	strncat(sdiodev->fw_name, "/", fw_len);
		699	strncat(sdiodev->nvram_name, "/", nv_len);
		700	fw_len--;
		701	nv_len--;
		702	}
692	}	703	}
693	strcat(sdiodev->fw_name, brcmf_fwname_data[i].bin);	704	strncat(sdiodev->fw_name, brcmf_fwname_data[i].bin, fw_len);
694	strcat(sdiodev->nvram_name, brcmf_fwname_data[i].nv);	705	strncat(sdiodev->nvram_name, brcmf_fwname_data[i].nv, nv_len);
695		706
696	return 0;	707	return 0;
697	}	708	}