From patchwork Tue May 12 18:30:54 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Luis R. Rodriguez" <mcgrof@do-not-panic.com>
X-Patchwork-Id: 6390381
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
X-Original-To: patchwork-linux-wireless@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 1D36A9F374
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue, 12 May 2015 18:37:40 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 41DBB20416
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue, 12 May 2015 18:37:39 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 517D620411
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue, 12 May 2015 18:37:38 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933585AbbELShh (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Tue, 12 May 2015 14:37:37 -0400
Received: from mail-pd0-f173.google.com ([209.85.192.173]:34331 "EHLO
	mail-pd0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933572AbbELShe (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Tue, 12 May 2015 14:37:34 -0400
Received: by pdbqa5 with SMTP id qa5so22797571pdb.1;
	Tue, 12 May 2015 11:37:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=7b1ENrRTZyNFhfrVDUpo4WQEFFsXX+qUOE1ANFePIkc=;
	b=qDNoKfUWdJ4wR4RJgjABPKxR7fs5W8jqCrt9MYOs1SpnFOrRE+pP2fkJSI7iIliaeR
	/e8dmUCzz/OT6r/kvI02uTkoBoZ61T3hkAojoCScidupeAv5KhGYRcTJVrBPmH5LDi+b
	VgicmU3gS4VoK2EartiFKWrBYFe8N8mjLweJQhKwQcQpAVELl+fW99hgYerPeHfC45Pl
	I2B7HOvT3r11LU+01KLD4faIOKf4305UOZ5A7yL1E9FR4lLFgZqQK6Ib4d9LNvLak1pC
	dhtzeUsZetJK+0WzmIRnTpP/1UB7sci/ExjqXQQdcnfhlgfQCeb9mecZYDO3pSth41uw
	fZYQ==
X-Received: by 10.66.182.161 with SMTP id ef1mr30390200pac.119.1431455854149;
	Tue, 12 May 2015 11:37:34 -0700 (PDT)
Received: from mcgrof@gmail.com (c-98-234-145-61.hsd1.ca.comcast.net.
	[98.234.145.61]) by mx.google.com with ESMTPSA id
	gj9sm16909486pbc.77.2015.05.12.11.37.31
	(version=TLSv1 cipher=RC4-SHA bits=128/128);
	Tue, 12 May 2015 11:37:33 -0700 (PDT)
Received: by mcgrof@gmail.com (sSMTP sendmail emulation);
	Tue, 12 May 2015 11:35:23 -0700
From: "Luis R. Rodriguez" <mcgrof@do-not-panic.com>
To: ming.lei@canonical.com, rusty@rustcorp.com.au
Cc: dhowells@redhat.com, seth.forshee@canonical.com,
	torvalds@linux-foundation.org, linux-kernel@vger.kernel.org,
	pebolle@tiscali.nl, linux-wireless@vger.kernel.org,
	"Luis R. Rodriguez" <mcgrof@suse.com>, Kyle McMartin <kyle@kernel.org>
Subject: [PATCH v2 2/5] firmware: check for file truncation on direct
	firmware loading
Date: Tue, 12 May 2015 11:30:54 -0700
Message-Id: <1431455457-25322-3-git-send-email-mcgrof@do-not-panic.com>
X-Mailer: git-send-email 2.1.0
In-Reply-To: <1431455457-25322-1-git-send-email-mcgrof@do-not-panic.com>
References: <1431455457-25322-1-git-send-email-mcgrof@do-not-panic.com>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: "Luis R. Rodriguez" <mcgrof@suse.com>

When direct firmware loading is used we iterate over a list
of possible firmware paths and concatenate the desired firmware
name with each path and look for the file there. Should the
passed firmware name be too long we end up truncating the
file we want to look for, the search however is still done.
Add a check for truncation instead of looking for a
truncated firmware filename.

Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ming Lei <ming.lei@canonical.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: David Howells <dhowells@redhat.com>
Cc: Kyle McMartin <kyle@kernel.org>
Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
---
 drivers/base/firmware_class.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index bc6c8e6..99385fc 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -320,7 +320,7 @@ fail:
 static int fw_get_filesystem_firmware(struct device *device,
 				       struct firmware_buf *buf)
 {
-	int i;
+	int i, len;
 	int rc = -ENOENT;
 	char *path;
 
@@ -335,7 +335,12 @@ static int fw_get_filesystem_firmware(struct device *device,
 		if (!fw_path[i][0])
 			continue;
 
-		snprintf(path, PATH_MAX, "%s/%s", fw_path[i], buf->fw_id);
+		len = snprintf(path, PATH_MAX, "%s/%s",
+			       fw_path[i], buf->fw_id);
+		if (len >= PATH_MAX) {
+			rc = -ENAMETOOLONG;
+			break;
+		}
 
 		file = filp_open(path, O_RDONLY, 0);
 		if (IS_ERR(file))