From patchwork Sat Feb  7 22:40:52 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christian Engelmayer <cengelma@gmx.at>
X-Patchwork-Id: 5796831
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Original-To: patchwork-alsa-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 79C71BF440
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Sat,  7 Feb 2015 22:41:36 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 5A64B20155
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Sat,  7 Feb 2015 22:41:35 +0000 (UTC)
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.kernel.org (Postfix) with ESMTP id A44C620142
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Sat,  7 Feb 2015 22:41:33 +0000 (UTC)
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 7CD3A260625; Sat,  7 Feb 2015 23:41:31 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
Received: from alsa0.perex.cz (localhost [IPv6:::1])
	by alsa0.perex.cz (Postfix) with ESMTP id 4EB8A26060F;
	Sat,  7 Feb 2015 23:41:21 +0100 (CET)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 5EF6C260611; Sat,  7 Feb 2015 23:41:18 +0100 (CET)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21])
	by alsa0.perex.cz (Postfix) with ESMTP id 9F0D4260606
	for <alsa-devel@alsa-project.org>;
	Sat,  7 Feb 2015 23:41:16 +0100 (CET)
Received: from localhost.localdomain ([81.217.123.197]) by mail.gmx.com
	(mrgmx101) with ESMTPSA (Nemesis) id 0Mhdex-1Xy0TK2kyZ-00MtZh;
	Sat, 07 Feb 2015 23:40:57 +0100
From: Christian Engelmayer <cengelma@gmx.at>
To: broonie@kernel.org, vinod.koul@intel.com, subhransu.s.prusty@intel.com
Date: Sat,  7 Feb 2015 23:40:52 +0100
Message-Id: <1423348852-29466-1-git-send-email-cengelma@gmx.at>
X-Mailer: git-send-email 1.9.1
X-Provags-ID: V03:K0:MCaQnH0RjVFFb5atnpLb51/af6oLlCHldL42jf6wVQMmOCTgd5q
	vSvkgoWGMcOWVoCqTuo9hxU7CRMBqV6qCGK1T1hKKtQbEdV88VVwrP58yaViqZ3JkE36JxF
	N10lZlwjNacbrZLo4pNG2IrQ26I+7gBkhQwIZHhuDDMALK20hCqXwlAWnpyRF4e2SDvW3U9
	I4gXuQ88k4wcFq9ql4nQQ==
X-UI-Out-Filterresults: notjunk:1;
Cc: alsa-devel@alsa-project.org, Christian Engelmayer <cengelma@gmx.at>,
	wsa@the-dreams.de, tiwai@suse.de, mengdong.lin@intel.com,
	lgirdwood@gmail.com,
	yang.a.fang@intel.com, yongjun_wei@trendmicro.com.cn,
	jarkko.nikula@linux.intel.com, kevin.strasser@linux.intel.com,
	fengguang.wu@intel.com
Subject: [alsa-devel] [PATCH] ASoC: Intel: sst: Fix firmware name size
	handling
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

Function sst_acpi_probe() uses plain strcpy for setting member firmware_name
of a struct intel_sst_drv from member firmware of a struct sst_machines.
Thereby the destination array has got a length of 20 byte while the source may
hold 32 byte. Since eg. commit 64b9c90b8600 ("ASoC: Intel: Fix BYTCR firmware
name") increased strings from "fw_sst_0f28.bin" to "intel/fw_sst_0f28.bin"
there is an actual possibility that the 20 byte array at the end of struct
intel_sst_drv is overrun.

Thus increase the size of the destination and use the same define for both
structs. Detected by Coverity CID 1260087.

Signed-off-by: Christian Engelmayer <cengelma@gmx.at>
---
Compile tested only. Applies against linux-next.
---
 sound/soc/intel/sst/sst.h      | 3 ++-
 sound/soc/intel/sst/sst_acpi.c | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/sound/soc/intel/sst/sst.h b/sound/soc/intel/sst/sst.h
index 7f4bbfc..562bc48 100644
--- a/sound/soc/intel/sst/sst.h
+++ b/sound/soc/intel/sst/sst.h
@@ -58,6 +58,7 @@ enum sst_algo_ops {
 #define SST_BLOCK_TIMEOUT	1000
 
 #define FW_SIGNATURE_SIZE	4
+#define FW_NAME_SIZE		32
 
 /* stream states */
 enum sst_stream_states {
@@ -426,7 +427,7 @@ struct intel_sst_drv {
 	 * Holder for firmware name. Due to async call it needs to be
 	 * persistent till worker thread gets called
 	 */
-	char firmware_name[20];
+	char firmware_name[FW_NAME_SIZE];
 };
 
 /* misc definitions */
diff --git a/sound/soc/intel/sst/sst_acpi.c b/sound/soc/intel/sst/sst_acpi.c
index 43bc1c4..0542442 100644
--- a/sound/soc/intel/sst/sst_acpi.c
+++ b/sound/soc/intel/sst/sst_acpi.c
@@ -47,7 +47,7 @@ struct sst_machines {
 	char board[32];
 	char machine[32];
 	void (*machine_quirk)(void);
-	char firmware[32];
+	char firmware[FW_NAME_SIZE];
 	struct sst_platform_info *pdata;
 
 };