RE: [PATCH] [net-next,v2] ibmvnic: Feature implementation of Vital Product Data (VPD) for the ibmvnic driver

[David Laight]

From: David Miller
> Sent: 04 November 2017 13:21
> From: Desnes Augusto Nunes do Rosario 
> Date: Wed,  1 Nov 2017 19:03:32 -0200
> 
> > +   substr = strnstr(adapter->vpd->buff, "RM", adapter->vpd->len);
> > +   if (!substr) {
> > +   dev_info(dev, "No FW level provided by VPD\n");
> > +   complete(>fw_done);
> > +   return;
> > +   }
> > +
> > +   /* get length of firmware level ASCII substring */
> > +   fw_level_len = *(substr + 2);
> > +
> > +   /* copy firmware version string from vpd into adapter */
> > +   ptr = strncpy((char *)adapter->fw_version,
> > + substr + 3, fw_level_len);
> 
> You have to be more careful here, making sure first that
> (substr + 2) < (adapter->vpd->buff + adapter->vpd->len),
> and next that (substr + 2 + fw_level_len) is in range
> as well.

And that the copy isn't longer than the target buffer.

David

Re: [PATCH] [net-next,v2] ibmvnic: Feature implementation of Vital Product Data (VPD) for the ibmvnic driver

[David Miller]

From: Desnes Augusto Nunes do Rosario 
Date: Wed,  1 Nov 2017 19:03:32 -0200

> + substr = strnstr(adapter->vpd->buff, "RM", adapter->vpd->len);
> + if (!substr) {
> + dev_info(dev, "No FW level provided by VPD\n");
> + complete(>fw_done);
> + return;
> + }
> +
> + /* get length of firmware level ASCII substring */
> + fw_level_len = *(substr + 2);
> +
> + /* copy firmware version string from vpd into adapter */
> + ptr = strncpy((char *)adapter->fw_version,
> +   substr + 3, fw_level_len);

You have to be more careful here, making sure first that
(substr + 2) < (adapter->vpd->buff + adapter->vpd->len),
and next that (substr + 2 + fw_level_len) is in range
as well.