]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
net: ncsi: Fix buffer overflow in fetching version id
authorHari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
Tue, 10 Jun 2025 19:33:38 +0000 (12:33 -0700)
committerJakub Kicinski <kuba@kernel.org>
Fri, 13 Jun 2025 01:21:59 +0000 (18:21 -0700)
In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
need to be null terminated while its size occupies the full size
of the field. Fix the buffer overflow issue by adding one
additional byte for null terminator.

Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
Reviewed-by: Paul Fertser <fercerpav@gmail.com>
Link: https://patch.msgid.link/20250610193338.1368-1-kalavakunta.hari.prasad@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net/ncsi/internal.h
net/ncsi/ncsi-rsp.c

index e76c6de0c784488afdf20e63d7ceb9af852ff659..adee6dcabdc3fef327e9a5cf9e2f150c0926eda3 100644 (file)
@@ -110,7 +110,7 @@ struct ncsi_channel_version {
        u8   update;            /* NCSI version update */
        char alpha1;            /* NCSI version alpha1 */
        char alpha2;            /* NCSI version alpha2 */
-       u8  fw_name[12];        /* Firmware name string                */
+       u8  fw_name[12 + 1];    /* Firmware name string                */
        u32 fw_version;         /* Firmware version                   */
        u16 pci_ids[4];         /* PCI identification                 */
        u32 mf_id;              /* Manufacture ID                     */
index 472cc68ad86f2f4935a5b339aef2391653647001..271ec6c3929e8525605fec0abb99aabaad461fc5 100644 (file)
@@ -775,6 +775,7 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr)
        ncv->alpha1 = rsp->alpha1;
        ncv->alpha2 = rsp->alpha2;
        memcpy(ncv->fw_name, rsp->fw_name, 12);
+       ncv->fw_name[12] = '\0';
        ncv->fw_version = ntohl(rsp->fw_version);
        for (i = 0; i < ARRAY_SIZE(ncv->pci_ids); i++)
                ncv->pci_ids[i] = ntohs(rsp->pci_ids[i]);