From patchwork Tue May 12 21:49:41 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Luis R. Rodriguez" <mcgrof@do-not-panic.com>
X-Patchwork-Id: 6392041
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
X-Original-To: patchwork-linux-wireless@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 54E929F32E
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue, 12 May 2015 21:56:32 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 6AA7220380
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue, 12 May 2015 21:56:31 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 85C022035D
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue, 12 May 2015 21:56:30 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933975AbbELV4T (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Tue, 12 May 2015 17:56:19 -0400
Received: from mail-pd0-f181.google.com ([209.85.192.181]:35951 "EHLO
	mail-pd0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933642AbbELV4R (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Tue, 12 May 2015 17:56:17 -0400
Received: by pdea3 with SMTP id a3so28230041pde.3;
	Tue, 12 May 2015 14:56:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=G9PcgyaxGUgv/oN2Y7WlfCwDDlZp7gaNpwKLN6kNsv8=;
	b=Oqyc2i8p9g1OZKhtkerI6EIk5MVEzBZiNnZNEk2sRH4ekLj8z1FbGR4JgPlbhOZH9U
	cWKMi+THp8QG0Ud4nual+NMF6TwZEoE6NvWPq1KejxfEPNh9KqqGfh5J6BHldv+s+yJd
	376sgIVlsUx5Mxvqc3MV7hXNjOO2cqD8uUS4HKIvwL43MQ3u1lnfo8snbWB9bseVFa10
	hx9rkzpHM1etAnCaeZilap5uhhqyYU1bYVF6pFwj4vfvUgk8thQwbsf9Vi8IzAVYEdi8
	RJC9XEaBzfEDV88ZOAIxnS/ZSF1ua+J9vD6zy0g+o0uaeLiIBfh3E+qxiOegFgUajEq4
	T9lQ==
X-Received: by 10.66.228.130 with SMTP id si2mr31713620pac.92.1431467777356;
	Tue, 12 May 2015 14:56:17 -0700 (PDT)
Received: from mcgrof@gmail.com (c-98-234-145-61.hsd1.ca.comcast.net.
	[98.234.145.61]) by mx.google.com with ESMTPSA id
	l14sm17211375pdm.16.2015.05.12.14.56.14
	(version=TLSv1 cipher=RC4-SHA bits=128/128);
	Tue, 12 May 2015 14:56:16 -0700 (PDT)
Received: by mcgrof@gmail.com (sSMTP sendmail emulation);
	Tue, 12 May 2015 14:54:06 -0700
From: "Luis R. Rodriguez" <mcgrof@do-not-panic.com>
To: ming.lei@canonical.com, rusty@rustcorp.com.au
Cc: torvalds@linux-foundation.org, dhowells@redhat.com,
	seth.forshee@canonical.com, linux-kernel@vger.kernel.org,
	pebolle@tiscali.nl, linux-wireless@vger.kernel.org,
	gregkh@linuxfoundation.org, jlee@suse.com, tiwai@suse.de,
	"Luis R. Rodriguez" <mcgrof@suse.com>, Kyle McMartin <kyle@kernel.org>
Subject: [PATCH v3 2/4] firmware: check for file truncation on direct
	firmware loading
Date: Tue, 12 May 2015 14:49:41 -0700
Message-Id: <1431467383-28540-3-git-send-email-mcgrof@do-not-panic.com>
X-Mailer: git-send-email 2.1.0
In-Reply-To: <1431467383-28540-1-git-send-email-mcgrof@do-not-panic.com>
References: <1431467383-28540-1-git-send-email-mcgrof@do-not-panic.com>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: "Luis R. Rodriguez" <mcgrof@suse.com>

When direct firmware loading is used we iterate over a list
of possible firmware paths and concatenate the desired firmware
name with each path and look for the file there. Should the
passed firmware name be too long we end up truncating the
file we want to look for, the search however is still done.
Add a check for truncation instead of looking for a
truncated firmware filename.

Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ming Lei <ming.lei@canonical.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: David Howells <dhowells@redhat.com>
Cc: Kyle McMartin <kyle@kernel.org>
Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
---
 drivers/base/firmware_class.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index 49139a1..9ffa707 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -320,7 +320,7 @@ fail:
 static int fw_get_filesystem_firmware(struct device *device,
 				       struct firmware_buf *buf)
 {
-	int i;
+	int i, len;
 	int rc = -ENOENT;
 	char *path;
 
@@ -335,7 +335,12 @@ static int fw_get_filesystem_firmware(struct device *device,
 		if (!fw_path[i][0])
 			continue;
 
-		snprintf(path, PATH_MAX, "%s/%s", fw_path[i], buf->fw_id);
+		len = snprintf(path, PATH_MAX, "%s/%s",
+			       fw_path[i], buf->fw_id);
+		if (len >= PATH_MAX) {
+			rc = -ENAMETOOLONG;
+			break;
+		}
 
 		file = filp_open(path, O_RDONLY, 0);
 		if (IS_ERR(file))