提交 d63c7dd5 编写于 作者: I Insu Yun 提交者: Martin K. Petersen

ipr: Fix out-of-bounds null overwrite

Return value of snprintf is not bound by size value, 2nd argument.
(https://www.kernel.org/doc/htmldocs/kernel-api/API-snprintf.html).
Return value is number of printed chars, can be larger than 2nd
argument.  Therefore, it can write null byte out of bounds ofbuffer.
Since snprintf puts null, it does not need to put additional null byte.
Signed-off-by: NInsu Yun <wuninsu@gmail.com>
Reviewed-by: NShane Seymour <shane.seymour@hpe.com>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
上级 9055082f
......@@ -4003,13 +4003,12 @@ static ssize_t ipr_store_update_fw(struct device *dev,
struct ipr_sglist *sglist;
char fname[100];
char *src;
int len, result, dnld_size;
int result, dnld_size;
if (!capable(CAP_SYS_ADMIN))
return -EACCES;
len = snprintf(fname, 99, "%s", buf);
fname[len-1] = '\0';
snprintf(fname, sizeof(fname), "%s", buf);
if (request_firmware(&fw_entry, fname, &ioa_cfg->pdev->dev)) {
dev_err(&ioa_cfg->pdev->dev, "Firmware file %s not found\n", fname);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册