diff options
author | Christian Engelmayer <cengelma@gmx.at> | 2015-02-07 17:40:52 -0500 |
---|---|---|
committer | Mark Brown <broonie@kernel.org> | 2015-02-07 22:08:27 -0500 |
commit | 279e17ae81c17b40ae7a6c9e10f386a7aac7aa55 (patch) | |
tree | 1c4726682f64ce4c3226e7b177ab5c1dde8b78a7 /sound | |
parent | 5c2b06369dafd796ebb4f17dab543d3da500245e (diff) |
ASoC: Intel: sst: Fix firmware name size handling
Function sst_acpi_probe() uses plain strcpy for setting member firmware_name
of a struct intel_sst_drv from member firmware of a struct sst_machines.
Thereby the destination array has got a length of 20 byte while the source may
hold 32 byte. Since eg. commit 64b9c90b8600 ("ASoC: Intel: Fix BYTCR firmware
name") increased strings from "fw_sst_0f28.bin" to "intel/fw_sst_0f28.bin"
there is an actual possibility that the 20 byte array at the end of struct
intel_sst_drv is overrun.
Thus increase the size of the destination and use the same define for both
structs. Detected by Coverity CID 1260087.
Signed-off-by: Christian Engelmayer <cengelma@gmx.at>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Diffstat (limited to 'sound')
-rw-r--r-- | sound/soc/intel/sst/sst.h | 3 | ||||
-rw-r--r-- | sound/soc/intel/sst/sst_acpi.c | 2 |
2 files changed, 3 insertions, 2 deletions
diff --git a/sound/soc/intel/sst/sst.h b/sound/soc/intel/sst/sst.h index 7f4bbfcbc6f5..562bc483d6b7 100644 --- a/sound/soc/intel/sst/sst.h +++ b/sound/soc/intel/sst/sst.h | |||
@@ -58,6 +58,7 @@ enum sst_algo_ops { | |||
58 | #define SST_BLOCK_TIMEOUT 1000 | 58 | #define SST_BLOCK_TIMEOUT 1000 |
59 | 59 | ||
60 | #define FW_SIGNATURE_SIZE 4 | 60 | #define FW_SIGNATURE_SIZE 4 |
61 | #define FW_NAME_SIZE 32 | ||
61 | 62 | ||
62 | /* stream states */ | 63 | /* stream states */ |
63 | enum sst_stream_states { | 64 | enum sst_stream_states { |
@@ -426,7 +427,7 @@ struct intel_sst_drv { | |||
426 | * Holder for firmware name. Due to async call it needs to be | 427 | * Holder for firmware name. Due to async call it needs to be |
427 | * persistent till worker thread gets called | 428 | * persistent till worker thread gets called |
428 | */ | 429 | */ |
429 | char firmware_name[20]; | 430 | char firmware_name[FW_NAME_SIZE]; |
430 | }; | 431 | }; |
431 | 432 | ||
432 | /* misc definitions */ | 433 | /* misc definitions */ |
diff --git a/sound/soc/intel/sst/sst_acpi.c b/sound/soc/intel/sst/sst_acpi.c index b3360139c41a..51f83bad5319 100644 --- a/sound/soc/intel/sst/sst_acpi.c +++ b/sound/soc/intel/sst/sst_acpi.c | |||
@@ -47,7 +47,7 @@ struct sst_machines { | |||
47 | char board[32]; | 47 | char board[32]; |
48 | char machine[32]; | 48 | char machine[32]; |
49 | void (*machine_quirk)(void); | 49 | void (*machine_quirk)(void); |
50 | char firmware[32]; | 50 | char firmware[FW_NAME_SIZE]; |
51 | struct sst_platform_info *pdata; | 51 | struct sst_platform_info *pdata; |
52 | 52 | ||
53 | }; | 53 | }; |