The firmware_tag string comes from userspace and may not be NUL terminated. strlcpy() performs strlen() on the source buffer, which can read past the end and potentially cause an Oops. strscpy() avoids this and guarantees NUL termination without overflowing the destination.
Signed-off-by: Dharanitharan R dharanitharan725@gmail.com
---
Changes in v4: - Replace strlcpy() with strscpy() based on maintainer feedback - Added explanation about user-controlled buffers
Changes in v3: - Fix Signed-off-by spacing - Move changelog below '---'
Changes in v2: - Fixed indentation issues reported by Greg KH --- .../greybus/Documentation/firmware/firmware.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/greybus/Documentation/firmware/firmware.c b/drivers/staging/greybus/Documentation/firmware/firmware.c index 6f6410878ee6..84b9cf45fc8e 100644 --- a/drivers/staging/greybus/Documentation/firmware/firmware.c +++ b/drivers/staging/greybus/Documentation/firmware/firmware.c @@ -63,10 +63,11 @@ static int update_intf_firmware(int fd) intf_load.major = 0; intf_load.minor = 0;
- strlcpy(intf_load.firmware_tag, firmware_tag, - GB_FIRMWARE_U_TAG_MAX_SIZE); + /* firmware_tag comes from userspace and may not be NUL terminated. + * strscpy() avoids strlen() on src and guarantees NUL termination. + */ + strscpy(intf_load.firmware_tag, firmware_tag, + GB_FIRMWARE_U_TAG_MAX_SIZE);
ret = ioctl(fd, FW_MGMT_IOC_INTF_LOAD_AND_VALIDATE, &intf_load); if (ret < 0) { @@ -103,8 +104,8 @@ static int update_backend_firmware(int fd) /* Get Backend Firmware Version */ printf("Getting Backend Firmware Version\n");
- strlcpy(backend_fw_info.firmware_tag, firmware_tag, - GB_FIRMWARE_U_TAG_MAX_SIZE); + strscpy(backend_fw_info.firmware_tag, firmware_tag, + GB_FIRMWARE_U_TAG_MAX_SIZE);
retry_fw_version: @@ -132,8 +133,8 @@ static int update_backend_firmware(int fd) /* Try Backend Firmware Update over Unipro */ printf("Updating Backend Firmware\n");
- strlcpy(backend_update.firmware_tag, firmware_tag, - GB_FIRMWARE_U_TAG_MAX_SIZE); + strscpy(backend_update.firmware_tag, firmware_tag, + GB_FIRMWARE_U_TAG_MAX_SIZE);
retry_fw_update: backend_update.status = 0;