From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <andy@warmcat.com>
Received: from mail.warmcat.com (mail.warmcat.com [163.172.24.82])
 by dpdk.org (Postfix) with ESMTP id DFD961BC50
 for <dev@dpdk.org>; Fri, 11 May 2018 03:45:29 +0200 (CEST)
From: Andy Green <andy@warmcat.com>
To: dev@dpdk.org
Date: Fri, 11 May 2018 09:45:25 +0800
Message-ID: <152600312580.53146.1090136345409468008.stgit@localhost.localdomain>
In-Reply-To: <152600304856.53146.9681482138854493833.stgit@localhost.localdomain>
References: <152600304856.53146.9681482138854493833.stgit@localhost.localdomain>
User-Agent: StGit/unknown-version
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Subject: [dpdk-dev] [PATCH v4 02/18] net/nfp: solve buffer overflow
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 01:45:30 -0000

/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c: In
function ‘nfp_pf_pci_probe’:
/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3160:
23: error: ‘%s’ directive writing up to 99 bytes into a
region of size 76 [-Werror=format-overflow=]
  sprintf(fw_name, "%s/%s.nffw", DEFAULT_FW_PATH, serial);

Note fw_buf still has to increase somewhat even after
restricting serial[], since otherwise:

/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c: In
function ‘nfp_pf_pci_probe’:
/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3176:23:
error: ‘%s’ directive writing up to 99 bytes into a region
of size 76 [-Werror=format-overflow=]
  sprintf(fw_name, "%s/%s", DEFAULT_FW_PATH, card);
                       ^~
/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3262:32:
  err = nfp_fw_upload(dev, nsp, card_desc);
                                ~~~~~~~~~
/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3176:2:
note: ‘sprintf’ output between 25 and 124 bytes into a
destination of size 100
  sprintf(fw_name, "%s/%s", DEFAULT_FW_PATH, card);

Signed-off-by: Andy Green <andy@warmcat.com>
---
 drivers/net/nfp/nfp_net.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/nfp/nfp_net.c b/drivers/net/nfp/nfp_net.c
index 048324ec9..78113b41b 100644
--- a/drivers/net/nfp/nfp_net.c
+++ b/drivers/net/nfp/nfp_net.c
@@ -3144,8 +3144,8 @@ nfp_fw_upload(struct rte_pci_device *dev, struct nfp_nsp *nsp, char *card)
 	struct nfp_cpp *cpp = nsp->cpp;
 	int fw_f;
 	char *fw_buf;
-	char fw_name[100];
-	char serial[100];
+	char fw_name[125];
+	char serial[40];
 	struct stat file_stat;
 	off_t fsize, bytes;