On Mon, Jun 08, 2015 at 12:56:44PM -0700, Kees Cook wrote:
> On Mon, May 18, 2015 at 5:45 PM, Luis R. Rodriguez
> <mcgrof@xxxxxxxxxxxxxxxx> wrote:
> > From: "Luis R. Rodriguez" <mcgrof@xxxxxxxx>
> >
> > diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
> > index 134dd77..97cab65 100644
> > --- a/drivers/base/firmware_class.c
> > +++ b/drivers/base/firmware_class.c
> > @@ -180,17 +190,33 @@ static struct firmware_buf *__allocate_fw_buf(const char *fw_name,
> > struct firmware_cache *fwc)
> > {
> > struct firmware_buf *buf;
> > + const char *sign_ext = ".p7s";
> > + char *signed_name;
> > +
> > + signed_name = kzalloc(PATH_MAX, GFP_ATOMIC);
> > + if (!signed_name)
> > + return NULL;
> >
> > buf = kzalloc(sizeof(*buf), GFP_ATOMIC);
> > - if (!buf)
> > + if (!buf) {
> > + kfree(signed_name);
> > return NULL;
> > + }
> >
> > buf->fw_id = kstrdup_const(fw_name, GFP_ATOMIC);
> > if (!buf->fw_id) {
> > + kfree(signed_name);
> > kfree(buf);
> > return NULL;
> > }
> >
> > + strcpy(signed_name, buf->fw_id);
> > + strncat(signed_name, sign_ext, strlen(sign_ext));
>
> fw_id is potentially unbounded, so using strncat hear poses an
> overflow risk. Maybe better to use strlcpy?
>
Thanks for the feedback, indeed.
Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
