VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 7, 2013· Updated Apr 29, 2026

CVE-2013-1929

CVE-2013-1929

Description

Heap-based buffer overflow in the tg3_read_vpd function in drivers/net/ethernet/broadcom/tg3.c in the Linux kernel before 3.8.6 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via crafted firmware that specifies a long string in the Vital Product Data (VPD) data structure.

Affected products

6
  • Linux/Kernel6 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: <=3.8.5
    • cpe:2.3:o:linux:linux_kernel:3.8.0:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:3.8.1:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:3.8.2:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:3.8.3:*:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:3.8.4:*:*:*:*:*:*:*

Patches

1
715230a44310

tg3: fix length overflow in VPD firmware parsing

https://github.com/torvalds/linuxKees CookMar 27, 2013via nvd-ref
commit
1 file changed · +5 2
  • drivers/net/ethernet/broadcom/tg3.c+5 2 modified
    @@ -14604,8 +14604,11 @@ static void tg3_read_vpd(struct tg3 *tp)
 		if (j + len > block_end)
 			goto partno;
 
-		memcpy(tp->fw_ver, &vpd_data[j], len);
-		strncat(tp->fw_ver, " bc ", vpdlen - len - 1);
+		if (len >= sizeof(tp->fw_ver))
+			len = sizeof(tp->fw_ver) - 1;
+		memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
+		snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
+			 &vpd_data[j]);
 	}
 
 partno:

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

16

News mentions

0

No linked articles in our index yet.