From 83214431cd02674c70402b160b16b7427e28737f Mon Sep 17 00:00:00 2001
From: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
Date: Thu, 3 Oct 2013 16:52:16 -0700
Subject: qseecom: Ensure incoming "app_name" does not corrupt the kernel stack

Printing a string with that does not have null terminated character,
would lead to overflow, as the print continues until it finds a null
terminated character.
Avoid this issue by explicitly assigning a string with null termination.

Change-Id: I9528db2ba046c514d829097d08c09540588bb1a2
Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
---
 drivers/misc/qseecom.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index 4c1943b..7ab8089 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -773,6 +773,7 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
 	if (ret)
 		return ret;
 	req.qsee_cmd_id = QSEOS_APP_LOOKUP_COMMAND;
+	load_img_req.img_name[MAX_APP_NAME_SIZE-1] = '\0';
 	memcpy(req.app_name, load_img_req.img_name, MAX_APP_NAME_SIZE);
 
 	ret = __qseecom_check_app_exists(req);
@@ -2453,6 +2454,7 @@ static int qseecom_query_app_loaded(struct qseecom_dev_handle *data,
 	}
 
 	req.qsee_cmd_id = QSEOS_APP_LOOKUP_COMMAND;
+	query_req.app_name[MAX_APP_NAME_SIZE-1] = '\0';
 	memcpy(req.app_name, query_req.app_name, MAX_APP_NAME_SIZE);
 
 	ret = __qseecom_check_app_exists(req);
-- 
cgit v1.1