Commit 8e16170a authored Jun 10, 2025 by Hari Kalavakunta Committed by Jakub Kicinski Jun 12, 2025

net: ncsi: Fix buffer overflow in fetching version id



In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
need to be null terminated while its size occupies the full size
of the field. Fix the buffer overflow issue by adding one
additional byte for null terminator.

Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
Reviewed-by: Paul Fertser <fercerpav@gmail.com>
Link: https://patch.msgid.link/20250610193338.1368-1-kalavakunta.hari.prasad@gmail.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 221dfdb2

net/ncsi/internal.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -110,7 +110,7 @@ struct ncsi_channel_version {
		u8 update; /* NCSI version update */
		char alpha1; /* NCSI version alpha1 */
		char alpha2; /* NCSI version alpha2 */
		u8 fw_name[12]; /* Firmware name string */
		u8 fw_name[12 + 1]; /* Firmware name string */
		u32 fw_version; /* Firmware version */
		u16 pci_ids[4]; /* PCI identification */
		u32 mf_id; /* Manufacture ID */

net/ncsi/ncsi-rsp.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -775,6 +775,7 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr)
		ncv->alpha1 = rsp->alpha1;
		ncv->alpha2 = rsp->alpha2;
		memcpy(ncv->fw_name, rsp->fw_name, 12);
		ncv->fw_name[12] = '\0';
		ncv->fw_version = ntohl(rsp->fw_version);
		for (i = 0; i < ARRAY_SIZE(ncv->pci_ids); i++)
		ncv->pci_ids[i] = ntohs(rsp->pci_ids[i]);