summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndy Green <andy@warmcat.com>2018-05-14 13:00:01 +0800
committerFerruh Yigit <ferruh.yigit@intel.com>2018-05-14 23:32:23 +0200
commita74640c468d946cdeb67089eca04c202b1857788 (patch)
treeb30554c7fa4211844982401299412d5b10bc45f3
parent275782311ca05f879a366691ceaba4e8ed643fec (diff)
downloaddpdk-a74640c468d946cdeb67089eca04c202b1857788.zip
dpdk-a74640c468d946cdeb67089eca04c202b1857788.tar.gz
dpdk-a74640c468d946cdeb67089eca04c202b1857788.tar.xz
net/nfp: fix buffer overflow of FW strings
drivers/net/nfp/nfp_net.c: In function ‘nfp_pf_pci_probe’: drivers/net/nfp/nfp_net.c:3160: 23: error: ‘%s’ directive writing up to 99 bytes into a region of size 76 [-Werror=format-overflow=] sprintf(fw_name, "%s/%s.nffw", DEFAULT_FW_PATH, serial); Note fw_buf still has to increase somewhat even after restricting serial[], since otherwise: drivers/net/nfp/nfp_net.c: In function ‘nfp_pf_pci_probe’: drivers/net/nfp/nfp_net.c:3176:23: error: ‘%s’ directive writing up to 99 bytes into a region of size 76 [-Werror=format-overflow=] sprintf(fw_name, "%s/%s", DEFAULT_FW_PATH, card); ^~ drivers/net/nfp/nfp_net.c:3262:32: err = nfp_fw_upload(dev, nsp, card_desc); ~~~~~~~~~ drivers/net/nfp/nfp_net.c:3176:2: note: ‘sprintf’ output between 25 and 124 bytes into a destination of size 100 sprintf(fw_name, "%s/%s", DEFAULT_FW_PATH, card); Fixes: 896c265ef954 ("net/nfp: use new CPP interface") Signed-off-by: Andy Green <andy@warmcat.com> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
-rw-r--r--drivers/net/nfp/nfp_net.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/net/nfp/nfp_net.c b/drivers/net/nfp/nfp_net.c
index ff6aad0..8a712d6 100644
--- a/drivers/net/nfp/nfp_net.c
+++ b/drivers/net/nfp/nfp_net.c
@@ -2983,8 +2983,8 @@ nfp_fw_upload(struct rte_pci_device *dev, struct nfp_nsp *nsp, char *card)
struct nfp_cpp *cpp = nsp->cpp;
int fw_f;
char *fw_buf;
- char fw_name[100];
- char serial[100];
+ char fw_name[125];
+ char serial[40];
struct stat file_stat;
off_t fsize, bytes;