From: Desnes Augusto Nunes do Rosario <[email protected]>
Date: Wed, 1 Nov 2017 19:03:32 -0200
> + substr = strnstr(adapter->vpd->buff, "RM", adapter->vpd->len);
> + if (!substr) {
> + dev_info(dev, "No FW level provided by VPD\n");
> + complete(&adapter->fw_done);
> + return;
> + }
> +
> + /* get length of firmware level ASCII substring */
> + fw_level_len = *(substr + 2);
> +
> + /* copy firmware version string from vpd into adapter */
> + ptr = strncpy((char *)adapter->fw_version,
> + substr + 3, fw_level_len);
You have to be more careful here, making sure first that
(substr + 2) < (adapter->vpd->buff + adapter->vpd->len),
and next that (substr + 2 + fw_level_len) is in range
as well.
