From patchwork Thu Jan 10 09:36:58 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Omar Ramirez Luna X-Patchwork-Id: 1959171 Return-Path: X-Original-To: patchwork-linux-omap@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id BDF38DF264 for ; Thu, 10 Jan 2013 09:37:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751722Ab3AJJhT (ORCPT ); Thu, 10 Jan 2013 04:37:19 -0500 Received: from mail-ob0-f170.google.com ([209.85.214.170]:46063 "EHLO mail-ob0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752634Ab3AJJhS (ORCPT ); Thu, 10 Jan 2013 04:37:18 -0500 Received: by mail-ob0-f170.google.com with SMTP id wp18so333691obc.15 for ; Thu, 10 Jan 2013 01:37:18 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to :references:x-gm-message-state; bh=daJ1k56UQQZvMVuBXyHg5Bvn7zRCGCZov5s3vaDTZbs=; b=Q21+odyMaCceMWUA6vZE32CNRBZ1TmA+IoJ5hNMvL4sEP0caC7d6uX2iW8SqxaaOy7 gClO0I9jPzDkkAN2rtAyStjtNLOlFmVvxq+kLrFv5GrBPNGcK46z8izulyA4q3fHI6NV 1d+1NxkTIjT44Dgt4xPhl1iqvNJMxtj7UIMjqzM52CxkKaj7QoAgUsDf+hjGE4/5rxik wtnhid+i0s0odg/kmg4dOzR2oSq2keWzcfpC/eRFiNHgyq79V91EKoJikpT0UU3vWsdu Sc81rc7KWWlYmwhDLp6H6e6Q8O0q6NyVuW7ipfdWN57aGcLTQSBY5hGYUWR47c1IFrHE 4YkA== X-Received: by 10.182.146.13 with SMTP id sy13mr50491970obb.45.1357810638062; Thu, 10 Jan 2013 01:37:18 -0800 (PST) Received: from localhost.localdomain (cpe-76-185-160-228.tx.res.rr.com. [76.185.160.228]) by mx.google.com with ESMTPS id ag15sm826005oec.11.2013.01.10.01.37.17 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 10 Jan 2013 01:37:17 -0800 (PST) From: Omar Ramirez Luna To: Greg Kroah-Hartman Cc: Chen Gang , devel@driverdev.osuosl.org, linux-omap@vger.kernel.org, Omar Ramirez Luna Subject: [PATCH 1/5] staging: tidspbridge: fix potential array out of bounds write Date: Thu, 10 Jan 2013 03:36:58 -0600 Message-Id: <1357810622-1709-2-git-send-email-omar.ramirez@copitl.com> X-Mailer: git-send-email 1.7.4.4 In-Reply-To: <1357810622-1709-1-git-send-email-omar.ramirez@copitl.com> References: <1357810622-1709-1-git-send-email-omar.ramirez@copitl.com> X-Gm-Message-State: ALoCoQm44LzulRp6COdJDEO87qiJ4tq1RYYxByHPPDqusjXJPunVBi0eKOxmNH7coVfr3C6Rtmqg Sender: linux-omap-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-omap@vger.kernel.org The name of the firmware (drv_datap->base_img) could potentially become equal to 255 valid characters (size of exec_file), this will result in an out of bounds write, given that the 255 chars along with a '\0' terminator will be copied into an array of 255 chars. Produce an error on this cases, because the driver expects the NULL ending to be among the 255 char limit. Reported-by: Chen Gang Signed-off-by: Omar Ramirez Luna --- drivers/staging/tidspbridge/rmgr/proc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/drivers/staging/tidspbridge/rmgr/proc.c b/drivers/staging/tidspbridge/rmgr/proc.c index 5e43938..ac016ed 100644 --- a/drivers/staging/tidspbridge/rmgr/proc.c +++ b/drivers/staging/tidspbridge/rmgr/proc.c @@ -394,7 +394,7 @@ static int get_exec_file(struct cfg_devnode *dev_node_obj, if (!drv_datap || !drv_datap->base_img) return -EFAULT; - if (strlen(drv_datap->base_img) > size) + if (strlen(drv_datap->base_img) >= size) return -EINVAL; strcpy(exec_file, drv_datap->base_img);