scsi: lpfc: Fix possible file string name overflow when updating firmware

[ Upstream commit f5779b529240b715f0e358489ad0ed933bf77c97 ]

Because file_name and phba->ModelName are both declared a size 80 bytes,
the extra ".grp" file extension could cause an overflow into file_name.

Define a ELX_FW_NAME_SIZE macro with value 84.  84 incorporates the 4 extra
characters from ".grp".  file_name is changed to be declared as a char and
initialized to zeros i.e. null chars.

Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Link: https://lore.kernel.org/r/20231031191224.150862-3-justintee8345@gmail.com
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
index af15f7a..04d608e 100644 (file)
--- a/drivers/scsi/lpfc/lpfc.h
+++ b/drivers/scsi/lpfc/lpfc.h
@@ -33,6 +33,7 @@
 struct lpfc_sli2_slim;
 
 #define ELX_MODEL_NAME_SIZE    80
+#define ELX_FW_NAME_SIZE       84
 
 #define LPFC_PCI_DEV_LP                0x1
 #define LPFC_PCI_DEV_OC                0x2

diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index 9e59c05..2c33695 100644 (file)
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -14725,7 +14725,7 @@ out:
 int
 lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade)
 {
-       uint8_t file_name[ELX_MODEL_NAME_SIZE];
+       char file_name[ELX_FW_NAME_SIZE] = {0};
        int ret;
        const struct firmware *fw;
 
@@ -14734,7 +14734,7 @@ lpfc_sli4_request_firmware_update(struct lpfc_hba *phba, uint8_t fw_upgrade)
            LPFC_SLI_INTF_IF_TYPE_2)
                return -EPERM;
 
-       snprintf(file_name, ELX_MODEL_NAME_SIZE, "%s.grp", phba->ModelName);
+       scnprintf(file_name, sizeof(file_name), "%s.grp", phba->ModelName);
 
        if (fw_upgrade == INT_FW_UPGRADE) {
                ret = request_firmware_nowait(THIS_MODULE, FW_ACTION_UEVENT,