staging: tidspbridge: fix potential array out of bounds write

The name of the firmware (drv_datap->base_img) could potentially become equal to 255 valid characters (size of exec_file), this will result in an out of bounds write, given that the 255 chars along with a '\0' terminator will be copied into an array of 255 chars. Produce an error on this cases, because the driver expects the NULL ending to be among the 255 char limit. Reported-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Omar Ramirez Luna <omar.ramirez@copitl.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Omar Ramirez Luna <omar.ramirez@copitl.com> 2013-01-10 03:36:58 -0600
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-01-17 16:47:13 -0800
commit: 7c256647b5ef8094ca3a6f43a442d6d8aac18058 (patch)
tree: 82e1a5b1122ff34abf1faa1d744a450749349c8f /drivers/staging/tidspbridge
parent: f14287b9671d462a54d3b6800832fb519284eb34 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/staging/tidspbridge/rmgr/proc.c b/drivers/staging/tidspbridge/rmgr/proc.c
index 5e43938ab7fa..ac016edc579f 100644
--- a/drivers/staging/tidspbridge/rmgr/proc.c
+++ b/drivers/staging/tidspbridge/rmgr/proc.c
@@ -394,7 +394,7 @@ static int get_exec_file(struct cfg_devnode *dev_node_obj,
 		if (!drv_datap || !drv_datap->base_img)
 			return -EFAULT;
 
-		if (strlen(drv_datap->base_img) > size)
+		if (strlen(drv_datap->base_img) >= size)
 			return -EINVAL;
 
 		strcpy(exec_file, drv_datap->base_img);
author	Omar Ramirez Luna <omar.ramirez@copitl.com>	2013-01-10 03:36:58 -0600
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-01-17 16:47:13 -0800
commit	7c256647b5ef8094ca3a6f43a442d6d8aac18058 (patch)
tree	82e1a5b1122ff34abf1faa1d744a450749349c8f /drivers/staging/tidspbridge
parent	f14287b9671d462a54d3b6800832fb519284eb34 (diff)