brcmfmac: Do not use strcpy and strcat

Commit "c1b2053 brcmfmac: Make firmware path a module parameter"
introduced use of strcpy and strcat. The strcpy and strcat require
using null terminated strings and can cause out-of-bounds memory
access and subsequent corruption. This patch replaces these by
strncpy and strncat respectively to assure array boundaries are
not crossed.

Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Signed-off-by: Daniel Kim <dekim@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
index 67d91d5..f55f625 100644 (file)
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
@@ -670,6 +670,8 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
                                  struct brcmf_sdio_dev *sdiodev)
 {
        int i;
+       uint fw_len, nv_len;
+       char end;
 
        for (i = 0; i < ARRAY_SIZE(brcmf_fwname_data); i++) {
                if (brcmf_fwname_data[i].chipid == ci->chip &&
@@ -682,16 +684,25 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
                return -ENODEV;
        }
 
+       fw_len = sizeof(sdiodev->fw_name) - 1;
+       nv_len = sizeof(sdiodev->nvram_name) - 1;
        /* check if firmware path is provided by module parameter */
        if (brcmf_firmware_path[0] != '\0') {
-               if (brcmf_firmware_path[strlen(brcmf_firmware_path) - 1] != '/')
-                       strcat(brcmf_firmware_path, "/");
-
-               strcpy(sdiodev->fw_name, brcmf_firmware_path);
-               strcpy(sdiodev->nvram_name, brcmf_firmware_path);
+               strncpy(sdiodev->fw_name, brcmf_firmware_path, fw_len);
+               strncpy(sdiodev->nvram_name, brcmf_firmware_path, nv_len);
+               fw_len -= strlen(sdiodev->fw_name);
+               nv_len -= strlen(sdiodev->nvram_name);
+
+               end = brcmf_firmware_path[strlen(brcmf_firmware_path) - 1];
+               if (end != '/') {
+                       strncat(sdiodev->fw_name, "/", fw_len);
+                       strncat(sdiodev->nvram_name, "/", nv_len);
+                       fw_len--;
+                       nv_len--;
+               }
        }
-       strcat(sdiodev->fw_name, brcmf_fwname_data[i].bin);
-       strcat(sdiodev->nvram_name, brcmf_fwname_data[i].nv);
+       strncat(sdiodev->fw_name, brcmf_fwname_data[i].bin, fw_len);
+       strncat(sdiodev->nvram_name, brcmf_fwname_data[i].nv, nv_len);
 
        return 0;
 }