Commit ca64b719 authored by Sudeep Holla's avatar Sudeep Holla

firmware: arm_scmi: use strlcpy to ensure NULL-terminated strings

Replace all the memcpy() for copying name strings from the firmware with
strlcpy() to make sure we are bounded by the source buffer size and we
also always have NULL-terminated strings.

This is needed to avoid out of bounds accesses if the firmware returns
a non-terminated string.
Reported-by: default avatarOlof Johansson <olof@lixom.net>
Acked-by: default avatarOlof Johansson <olof@lixom.net>
Signed-off-by: default avatarSudeep Holla <sudeep.holla@arm.com>
parent 11da3a7f
...@@ -208,7 +208,7 @@ static int scmi_base_discover_agent_get(const struct scmi_handle *handle, ...@@ -208,7 +208,7 @@ static int scmi_base_discover_agent_get(const struct scmi_handle *handle,
ret = scmi_do_xfer(handle, t); ret = scmi_do_xfer(handle, t);
if (!ret) if (!ret)
memcpy(name, t->rx.buf, SCMI_MAX_STR_SIZE); strlcpy(name, t->rx.buf, SCMI_MAX_STR_SIZE);
scmi_xfer_put(handle, t); scmi_xfer_put(handle, t);
......
...@@ -111,7 +111,7 @@ static int scmi_clock_attributes_get(const struct scmi_handle *handle, ...@@ -111,7 +111,7 @@ static int scmi_clock_attributes_get(const struct scmi_handle *handle,
ret = scmi_do_xfer(handle, t); ret = scmi_do_xfer(handle, t);
if (!ret) if (!ret)
memcpy(clk->name, attr->name, SCMI_MAX_STR_SIZE); strlcpy(clk->name, attr->name, SCMI_MAX_STR_SIZE);
else else
clk->name[0] = '\0'; clk->name[0] = '\0';
......
...@@ -174,7 +174,7 @@ scmi_perf_domain_attributes_get(const struct scmi_handle *handle, u32 domain, ...@@ -174,7 +174,7 @@ scmi_perf_domain_attributes_get(const struct scmi_handle *handle, u32 domain,
dom_info->mult_factor = dom_info->mult_factor =
(dom_info->sustained_freq_khz * 1000) / (dom_info->sustained_freq_khz * 1000) /
dom_info->sustained_perf_level; dom_info->sustained_perf_level;
memcpy(dom_info->name, attr->name, SCMI_MAX_STR_SIZE); strlcpy(dom_info->name, attr->name, SCMI_MAX_STR_SIZE);
} }
scmi_xfer_put(handle, t); scmi_xfer_put(handle, t);
......
...@@ -106,7 +106,7 @@ scmi_power_domain_attributes_get(const struct scmi_handle *handle, u32 domain, ...@@ -106,7 +106,7 @@ scmi_power_domain_attributes_get(const struct scmi_handle *handle, u32 domain,
dom_info->state_set_notify = SUPPORTS_STATE_SET_NOTIFY(flags); dom_info->state_set_notify = SUPPORTS_STATE_SET_NOTIFY(flags);
dom_info->state_set_async = SUPPORTS_STATE_SET_ASYNC(flags); dom_info->state_set_async = SUPPORTS_STATE_SET_ASYNC(flags);
dom_info->state_set_sync = SUPPORTS_STATE_SET_SYNC(flags); dom_info->state_set_sync = SUPPORTS_STATE_SET_SYNC(flags);
memcpy(dom_info->name, attr->name, SCMI_MAX_STR_SIZE); strlcpy(dom_info->name, attr->name, SCMI_MAX_STR_SIZE);
} }
scmi_xfer_put(handle, t); scmi_xfer_put(handle, t);
......
...@@ -140,7 +140,7 @@ static int scmi_sensor_description_get(const struct scmi_handle *handle, ...@@ -140,7 +140,7 @@ static int scmi_sensor_description_get(const struct scmi_handle *handle,
s = &si->sensors[desc_index + cnt]; s = &si->sensors[desc_index + cnt];
s->id = le32_to_cpu(buf->desc[cnt].id); s->id = le32_to_cpu(buf->desc[cnt].id);
s->type = SENSOR_TYPE(attrh); s->type = SENSOR_TYPE(attrh);
memcpy(s->name, buf->desc[cnt].name, SCMI_MAX_STR_SIZE); strlcpy(s->name, buf->desc[cnt].name, SCMI_MAX_STR_SIZE);
} }
desc_index += num_returned; desc_index += num_returned;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment