From: Omar Ramirez Luna Date: Thu, 10 Jan 2013 09:36:58 +0000 (-0600) Subject: staging: tidspbridge: fix potential array out of bounds write X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=7c256647b5ef8094ca3a6f43a442d6d8aac18058;p=openwrt%2Fstaging%2Fblogic.git staging: tidspbridge: fix potential array out of bounds write The name of the firmware (drv_datap->base_img) could potentially become equal to 255 valid characters (size of exec_file), this will result in an out of bounds write, given that the 255 chars along with a '\0' terminator will be copied into an array of 255 chars. Produce an error on this cases, because the driver expects the NULL ending to be among the 255 char limit. Reported-by: Chen Gang Signed-off-by: Omar Ramirez Luna Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/tidspbridge/rmgr/proc.c b/drivers/staging/tidspbridge/rmgr/proc.c index 5e43938ab7fa..ac016edc579f 100644 --- a/drivers/staging/tidspbridge/rmgr/proc.c +++ b/drivers/staging/tidspbridge/rmgr/proc.c @@ -394,7 +394,7 @@ static int get_exec_file(struct cfg_devnode *dev_node_obj, if (!drv_datap || !drv_datap->base_img) return -EFAULT; - if (strlen(drv_datap->base_img) > size) + if (strlen(drv_datap->base_img) >= size) return -EINVAL; strcpy(exec_file, drv_datap->base_img);