[PATCH 1/5] staging: tidspbridge: fix potential array out of bounds write
Omar Ramirez Luna
omar.ramirez at copitl.com
Thu Jan 10 09:36:58 UTC 2013
The name of the firmware (drv_datap->base_img) could potentially
become equal to 255 valid characters (size of exec_file), this
will result in an out of bounds write, given that the 255 chars
along with a '\0' terminator will be copied into an array of
255 chars.
Produce an error on this cases, because the driver expects the NULL
ending to be among the 255 char limit.
Reported-by: Chen Gang <gang.chen at asianux.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez at copitl.com>
---
drivers/staging/tidspbridge/rmgr/proc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/staging/tidspbridge/rmgr/proc.c b/drivers/staging/tidspbridge/rmgr/proc.c
index 5e43938..ac016ed 100644
--- a/drivers/staging/tidspbridge/rmgr/proc.c
+++ b/drivers/staging/tidspbridge/rmgr/proc.c
@@ -394,7 +394,7 @@ static int get_exec_file(struct cfg_devnode *dev_node_obj,
if (!drv_datap || !drv_datap->base_img)
return -EFAULT;
- if (strlen(drv_datap->base_img) > size)
+ if (strlen(drv_datap->base_img) >= size)
return -EINVAL;
strcpy(exec_file, drv_datap->base_img);
--
1.7.4.4
More information about the devel
mailing list