1. Patchew
  2. linux
  3. View series

[PATCH net-next] net: ncsi: Fix buffer overflow in fetching version id

kalavakunta.hari.prasad@gmail.com posted 1 patch 4 months ago 
net/ncsi/internal.h | 2 +-
net/ncsi/ncsi-rsp.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
[PATCH net-next] net: ncsi: Fix buffer overflow in fetching version id
Posted by kalavakunta.hari.prasad@gmail.com 4 months ago 
From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>

In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
need to be null terminated while its size occupies the full size
of the field. Fix the buffer overflow issue by adding one
additional byte for null terminator.

Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
---
 net/ncsi/internal.h | 2 +-
 net/ncsi/ncsi-rsp.c | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
index e76c6de0c784..adee6dcabdc3 100644
--- a/net/ncsi/internal.h
+++ b/net/ncsi/internal.h
@@ -110,7 +110,7 @@ struct ncsi_channel_version {
 	u8   update;		/* NCSI version update */
 	char alpha1;		/* NCSI version alpha1 */
 	char alpha2;		/* NCSI version alpha2 */
-	u8  fw_name[12];	/* Firmware name string                */
+	u8  fw_name[12 + 1];	/* Firmware name string                */
 	u32 fw_version;		/* Firmware version                   */
 	u16 pci_ids[4];		/* PCI identification                 */
 	u32 mf_id;		/* Manufacture ID                     */
diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 472cc68ad86f..271ec6c3929e 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -775,6 +775,7 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr)
 	ncv->alpha1 = rsp->alpha1;
 	ncv->alpha2 = rsp->alpha2;
 	memcpy(ncv->fw_name, rsp->fw_name, 12);
+	ncv->fw_name[12] = '\0';
 	ncv->fw_version = ntohl(rsp->fw_version);
 	for (i = 0; i < ARRAY_SIZE(ncv->pci_ids); i++)
 		ncv->pci_ids[i] = ntohs(rsp->pci_ids[i]);
-- 
2.47.1
Re: [PATCH net-next] net: ncsi: Fix buffer overflow in fetching version id
Posted by Paul Fertser 4 months ago 
Hello Hari,

On Tue, Jun 10, 2025 at 12:33:38PM -0700, kalavakunta.hari.prasad@gmail.com wrote:
> From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
> 
> In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
> need to be null terminated while its size occupies the full size
> of the field. Fix the buffer overflow issue by adding one
> additional byte for null terminator.
> 
> Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>

You seem to be surprisingly persistent about ignoring my remarks on
your commit message.

So be it, since the code looks correct and reliable, fixes a real life
bug, and actually applies to the right tree now,

Reviewed-by: Paul Fertser <fercerpav@gmail.com>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.