firmware: arm_scmi: use strlcpy to ensure NULL-terminated strings
Replace all the memcpy() for copying name strings from the firmware with strlcpy() to make sure we are bounded by the source buffer size and we also always have NULL-terminated strings. This is needed to avoid out of bounds accesses if the firmware returns a non-terminated string. Reported-by: Olof Johansson <olof@lixom.net> Acked-by: Olof Johansson <olof@lixom.net> Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
This commit is contained in:
parent
11da3a7f84
commit
ca64b719a1
@ -208,7 +208,7 @@ static int scmi_base_discover_agent_get(const struct scmi_handle *handle,
|
||||
|
||||
ret = scmi_do_xfer(handle, t);
|
||||
if (!ret)
|
||||
memcpy(name, t->rx.buf, SCMI_MAX_STR_SIZE);
|
||||
strlcpy(name, t->rx.buf, SCMI_MAX_STR_SIZE);
|
||||
|
||||
scmi_xfer_put(handle, t);
|
||||
|
||||
|
@ -111,7 +111,7 @@ static int scmi_clock_attributes_get(const struct scmi_handle *handle,
|
||||
|
||||
ret = scmi_do_xfer(handle, t);
|
||||
if (!ret)
|
||||
memcpy(clk->name, attr->name, SCMI_MAX_STR_SIZE);
|
||||
strlcpy(clk->name, attr->name, SCMI_MAX_STR_SIZE);
|
||||
else
|
||||
clk->name[0] = '\0';
|
||||
|
||||
|
@ -174,7 +174,7 @@ scmi_perf_domain_attributes_get(const struct scmi_handle *handle, u32 domain,
|
||||
dom_info->mult_factor =
|
||||
(dom_info->sustained_freq_khz * 1000) /
|
||||
dom_info->sustained_perf_level;
|
||||
memcpy(dom_info->name, attr->name, SCMI_MAX_STR_SIZE);
|
||||
strlcpy(dom_info->name, attr->name, SCMI_MAX_STR_SIZE);
|
||||
}
|
||||
|
||||
scmi_xfer_put(handle, t);
|
||||
|
@ -106,7 +106,7 @@ scmi_power_domain_attributes_get(const struct scmi_handle *handle, u32 domain,
|
||||
dom_info->state_set_notify = SUPPORTS_STATE_SET_NOTIFY(flags);
|
||||
dom_info->state_set_async = SUPPORTS_STATE_SET_ASYNC(flags);
|
||||
dom_info->state_set_sync = SUPPORTS_STATE_SET_SYNC(flags);
|
||||
memcpy(dom_info->name, attr->name, SCMI_MAX_STR_SIZE);
|
||||
strlcpy(dom_info->name, attr->name, SCMI_MAX_STR_SIZE);
|
||||
}
|
||||
|
||||
scmi_xfer_put(handle, t);
|
||||
|
@ -140,7 +140,7 @@ static int scmi_sensor_description_get(const struct scmi_handle *handle,
|
||||
s = &si->sensors[desc_index + cnt];
|
||||
s->id = le32_to_cpu(buf->desc[cnt].id);
|
||||
s->type = SENSOR_TYPE(attrh);
|
||||
memcpy(s->name, buf->desc[cnt].name, SCMI_MAX_STR_SIZE);
|
||||
strlcpy(s->name, buf->desc[cnt].name, SCMI_MAX_STR_SIZE);
|
||||
}
|
||||
|
||||
desc_index += num_returned;
|
||||
|
Loading…
Reference in New Issue
Block a user