Skip to content

Commit

Permalink
Bluetooth: btmrvl_sdio: Remove all strcpy() uses
Browse files Browse the repository at this point in the history 
strcpy() performs no bounds checking on the destination buffer. This
could result in linear overflows beyond the end of the buffer, leading
to all kinds of misbehaviors. The safe replacement is strscpy() but in
this case it is better to use the scnprintf to simplify the arithmetic.

This is a previous step in the path to remove the strcpy() function
entirely from the kernel.

Signed-off-by: Len Baker <len.baker@gmx.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
  • Loading branch information
Len Baker authored and Marcel Holtmann committed Jul 29, 2021
1 parent 92fe24a commit 785077f
Showing 1 changed file with 14 additions and 15 deletions.
29 changes: 14 additions & 15 deletions drivers/bluetooth/btmrvl_sdio.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1350,6 +1350,7 @@ static void btmrvl_sdio_coredump(struct device *dev)
u8 *dbg_ptr, *end_ptr, *fw_dump_data, *fw_dump_ptr;
u8 dump_num = 0, idx, i, read_reg, doneflag = 0;
u32 memory_size, fw_dump_len = 0;
int size = 0;

card = sdio_get_drvdata(func);
priv = card->priv;
Expand Down Expand Up @@ -1478,7 +1479,7 @@ static void btmrvl_sdio_coredump(struct device *dev)
if (fw_dump_len == 0)
return;

fw_dump_data = vzalloc(fw_dump_len+1);
fw_dump_data = vzalloc(fw_dump_len + 1);
if (!fw_dump_data) {
BT_ERR("Vzalloc fw_dump_data fail!");
return;
Expand All @@ -1493,20 +1494,18 @@ static void btmrvl_sdio_coredump(struct device *dev)
struct memory_type_mapping *entry = &mem_type_mapping_tbl[idx];

if (entry->mem_ptr) {
strcpy(fw_dump_ptr, "========Start dump ");
fw_dump_ptr += strlen("========Start dump ");

strcpy(fw_dump_ptr, entry->mem_name);
fw_dump_ptr += strlen(entry->mem_name);

strcpy(fw_dump_ptr, "========\n");
fw_dump_ptr += strlen("========\n");

memcpy(fw_dump_ptr, entry->mem_ptr, entry->mem_size);
fw_dump_ptr += entry->mem_size;

strcpy(fw_dump_ptr, "\n========End dump========\n");
fw_dump_ptr += strlen("\n========End dump========\n");
size += scnprintf(fw_dump_ptr + size,
fw_dump_len + 1 - size,
"========Start dump %s========\n",
entry->mem_name);

memcpy(fw_dump_ptr + size, entry->mem_ptr,
entry->mem_size);
size += entry->mem_size;

size += scnprintf(fw_dump_ptr + size,
fw_dump_len + 1 - size,
"\n========End dump========\n");

vfree(mem_type_mapping_tbl[idx].mem_ptr);
mem_type_mapping_tbl[idx].mem_ptr = NULL;
Expand Down

0 comments on commit 785077f

Please sign in to comment.