1. Patchew
  2. linux
  3. View series

[PATCH v1] net/ncsi: fix buffer overflow in getting version id

Jerry C Chen posted 1 patch 7 months, 1 week ago 
net/ncsi/internal.h | 2 +-
net/ncsi/ncsi-rsp.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
[PATCH v1] net/ncsi: fix buffer overflow in getting version id
Posted by Jerry C Chen 7 months, 1 week ago 
In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
need to be null terminated while its size occupies the full size
of the field. Fix the buffer overflow issue by adding one
additional byte for null terminator.

Signed-off-by: Jerry C Chen <Jerry_C_Chen@wiwynn.com>
---
 net/ncsi/internal.h | 2 +-
 net/ncsi/ncsi-rsp.c | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
index 2c260f33b55c..ad1f671ffc37 100644
--- a/net/ncsi/internal.h
+++ b/net/ncsi/internal.h
@@ -110,7 +110,7 @@ struct ncsi_channel_version {
        u8   update;            /* NCSI version update */
        char alpha1;            /* NCSI version alpha1 */
        char alpha2;            /* NCSI version alpha2 */
-       u8  fw_name[12];        /* Firmware name string                */
+       u8  fw_name[12 + 1];    /* Firmware name string                */
        u32 fw_version;         /* Firmware version                   */
        u16 pci_ids[4];         /* PCI identification                 */
        u32 mf_id;              /* Manufacture ID                     */
diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 8668888c5a2f..d5ed80731e89 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -775,6 +775,7 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr)
        ncv->alpha1 = rsp->alpha1;
        ncv->alpha2 = rsp->alpha2;
        memcpy(ncv->fw_name, rsp->fw_name, 12);
+       ncv->fw_name[12] = '\0';
        ncv->fw_version = ntohl(rsp->fw_version);
        for (i = 0; i < ARRAY_SIZE(ncv->pci_ids); i++)
                ncv->pci_ids[i] = ntohs(rsp->pci_ids[i]);
--
2.25.1

WIWYNN PROPRIETARY
This email (and any attachments) contains proprietary or confidential information and is for the sole use of its intended recipient. Any unauthorized review, use, copying or distribution of this email or the content of this email is strictly prohibited. If you are not the intended recipient, please notify the sender and delete this email immediately.
Re: [PATCH v1] net/ncsi: fix buffer overflow in getting version id
Posted by Paul Fertser 7 months, 1 week ago 
Hello Jerry,

This looks like an updated version of your previous patch[0] but you
have forgotten to increase the number in the Subject. You have also
forgotten to reply and take into account /some/ of the points I raised
in the review.

On Thu, May 15, 2025 at 04:34:47PM +0800, Jerry C Chen wrote:
> In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
> need to be null terminated while its size occupies the full size
> of the field. Fix the buffer overflow issue by adding one
> additional byte for null terminator.
...

Please give an answer to every comment I made for your previous patch
version and either make a corresponding change or explain why exactly
you disagree.

Also please stop sending any and all "proprietary or confidential
information".

[0] https://patchwork.kernel.org/project/netdevbpf/patch/20250227055044.3878374-1-Jerry_C_Chen@wiwynn.com/

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.