net: ncsi: Fix buffer overflow in fetching version id

[ Upstream commit 8e16170ae972c7fed132bc928914a2ffb94690fc ]

In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
need to be null terminated while its size occupies the full size
of the field. Fix the buffer overflow issue by adding one
additional byte for null terminator.

Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
Reviewed-by: Paul Fertser <fercerpav@gmail.com>
Link: https://patch.msgid.link/20250610193338.1368-1-kalavakunta.hari.prasad@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
index c61d2e2e93adc3c8e24b3f55d18380ebb996734b..6ebf9e55c04640ab2187ec1a723581fc2fdaef27 100644 (file)
--- a/net/ncsi/internal.h
+++ b/net/ncsi/internal.h
@@ -107,7 +107,7 @@ struct ncsi_channel_version {
        u8   update;            /* NCSI version update */
        char alpha1;            /* NCSI version alpha1 */
        char alpha2;            /* NCSI version alpha2 */
-       u8  fw_name[12];        /* Firmware name string                */
+       u8  fw_name[12 + 1];    /* Firmware name string                */
        u32 fw_version;         /* Firmware version                   */
        u16 pci_ids[4];         /* PCI identification                 */
        u32 mf_id;              /* Manufacture ID                     */

diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 88fb86cf7b208103518b4cd1639317a06b81255e..c1d42bbfdc7e8b2ff5f0f057202a59294f7e49ac 100644 (file)
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -782,6 +782,7 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr)
        ncv->alpha1 = rsp->alpha1;
        ncv->alpha2 = rsp->alpha2;
        memcpy(ncv->fw_name, rsp->fw_name, 12);
+       ncv->fw_name[12] = '\0';
        ncv->fw_version = ntohl(rsp->fw_version);
        for (i = 0; i < ARRAY_SIZE(ncv->pci_ids); i++)
                ncv->pci_ids[i] = ntohs(rsp->pci_ids[i]);