8 Feb
2015
8 Feb
'15
4:52 a.m.
On Sat, Feb 07, 2015 at 11:40:52PM +0100, Christian Engelmayer wrote:
Function sst_acpi_probe() uses plain strcpy for setting member firmware_name of a struct intel_sst_drv from member firmware of a struct sst_machines. Thereby the destination array has got a length of 20 byte while the source may hold 32 byte. Since eg. commit 64b9c90b8600 ("ASoC: Intel: Fix BYTCR firmware name") increased strings from "fw_sst_0f28.bin" to "intel/fw_sst_0f28.bin" there is an actual possibility that the 20 byte array at the end of struct intel_sst_drv is overrun.
Applied, thanks, though it seems more robust to stop copying the strings at all and instead just make as many of the fields char * as we can.