summaryrefslogtreecommitdiff
path: root/drivers/net/wireless/brcm80211
diff options
context:
space:
mode:
authorDaniel Kim <dekim@broadcom.com>2014-07-30 13:20:00 +0200
committerJohn W. Linville <linville@tuxdriver.com>2014-07-31 13:41:44 -0400
commit46de06839b4936cc5fd4e6638b8fbf8437bce29e (patch)
tree108dc393091e191ce8828d228802255b982c149b /drivers/net/wireless/brcm80211
parent9f0b4cbdee09e635906611ed8dcc5c51116cbd75 (diff)
brcmfmac: Do not use strcpy and strcat
Commit "c1b2053 brcmfmac: Make firmware path a module parameter" introduced use of strcpy and strcat. The strcpy and strcat require using null terminated strings and can cause out-of-bounds memory access and subsequent corruption. This patch replaces these by strncpy and strncat respectively to assure array boundaries are not crossed. Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com> Reviewed-by: Arend Van Spriel <arend@broadcom.com> Signed-off-by: Daniel Kim <dekim@broadcom.com> Signed-off-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/brcm80211')
-rw-r--r--drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c25
1 files changed, 18 insertions, 7 deletions
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
index 67d91d5cc13d..f55f625fd06b 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
@@ -670,6 +670,8 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
struct brcmf_sdio_dev *sdiodev)
{
int i;
+ uint fw_len, nv_len;
+ char end;
for (i = 0; i < ARRAY_SIZE(brcmf_fwname_data); i++) {
if (brcmf_fwname_data[i].chipid == ci->chip &&
@@ -682,16 +684,25 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
return -ENODEV;
}
+ fw_len = sizeof(sdiodev->fw_name) - 1;
+ nv_len = sizeof(sdiodev->nvram_name) - 1;
/* check if firmware path is provided by module parameter */
if (brcmf_firmware_path[0] != '\0') {
- if (brcmf_firmware_path[strlen(brcmf_firmware_path) - 1] != '/')
- strcat(brcmf_firmware_path, "/");
-
- strcpy(sdiodev->fw_name, brcmf_firmware_path);
- strcpy(sdiodev->nvram_name, brcmf_firmware_path);
+ strncpy(sdiodev->fw_name, brcmf_firmware_path, fw_len);
+ strncpy(sdiodev->nvram_name, brcmf_firmware_path, nv_len);
+ fw_len -= strlen(sdiodev->fw_name);
+ nv_len -= strlen(sdiodev->nvram_name);
+
+ end = brcmf_firmware_path[strlen(brcmf_firmware_path) - 1];
+ if (end != '/') {
+ strncat(sdiodev->fw_name, "/", fw_len);
+ strncat(sdiodev->nvram_name, "/", nv_len);
+ fw_len--;
+ nv_len--;
+ }
}
- strcat(sdiodev->fw_name, brcmf_fwname_data[i].bin);
- strcat(sdiodev->nvram_name, brcmf_fwname_data[i].nv);
+ strncat(sdiodev->fw_name, brcmf_fwname_data[i].bin, fw_len);
+ strncat(sdiodev->nvram_name, brcmf_fwname_data[i].nv, nv_len);
return 0;
}