staging: tidspbridge: fix potential array out of bounds write

The name of the firmware (drv_datap->base_img) could potentially become equal to 255 valid characters (size of exec_file), this will result in an out of bounds write, given that the 255 chars along with a '\0' terminator will be copied into an array of 255 chars. Produce an error on this cases, because the driver expects the NULL ending to be among the 255 char limit. Reported-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Omar Ramirez Luna <omar.ramirez@copitl.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging: tidspbridge: fix potential array out of bounds write
The name of the firmware (drv_datap->base_img) could potentially become equal to 255 valid characters (size of exec_file), this will result in an out of bounds write, given that the 255 chars along with a '\0' terminator will be copied into an array of 255 chars. Produce an error on this cases, because the driver expects the NULL ending to be among the 255 char limit. Reported-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Omar Ramirez Luna <omar.ramirez@copitl.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7c256647 · Omar Ramirez Luna · Greg Kroah-Hartman · f14287b9 · 7c256647
Commit 7c256647 authored Jan 10, 2013 by Omar Ramirez Luna Committed by Greg Kroah-Hartman Jan 17, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/staging/tidspbridge/rmgr/proc.c drivers/staging/tidspbridge/rmgr/proc.c +1 -1

No files found.
--- a/drivers/staging/tidspbridge/rmgr/proc.c
+++ b/drivers/staging/tidspbridge/rmgr/proc.c
@@ -394,7 +394,7 @@ static int get_exec_file(struct cfg_devnode *dev_node_obj,
 		if (!drv_datap || !drv_datap->base_img)
 			return -EFAULT;

-		if (strlen(drv_datap->base_img) > size)
+		if (strlen(drv_datap->base_img) >= size)
 			return -EINVAL;

 		strcpy(exec_file, drv_datap->base_img);