From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Lunn Subject: Re: [PATCH 3/4 RFCv2] net: dsa: realtek-smi: Add Realtek SMI driver Date: Mon, 28 May 2018 21:45:06 +0200 Message-ID: <20180528194506.GF27177@lunn.ch> References: <20180528174752.6806-1-linus.walleij@linaro.org> <20180528174752.6806-4-linus.walleij@linaro.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Vivien Didelot , Florian Fainelli , netdev@vger.kernel.org, openwrt-devel@lists.openwrt.org, LEDE Development List , Antti =?iso-8859-1?Q?Sepp=E4l=E4?= , Roman Yeryomin , Colin Leitner , Gabor Juhos To: Linus Walleij Return-path: Received: from vps0.lunn.ch ([185.16.172.187]:47440 "EHLO vps0.lunn.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933608AbeE1TpI (ORCPT ); Mon, 28 May 2018 15:45:08 -0400 Content-Disposition: inline In-Reply-To: <20180528174752.6806-4-linus.walleij@linaro.org> Sender: netdev-owner@vger.kernel.org List-ID: > +struct rtl8366_mib_counter { > + unsigned base; > + unsigned offset; > + unsigned length; > + const char *name; > +}; > +void rtl8366_get_strings(struct dsa_switch *ds, int port, uint8_t *data) > +{ > + struct realtek_smi *smi = ds->priv; > + struct rtl8366_mib_counter *mib; > + int i; > + > + if (port >= smi->num_ports) > + return; > + > + for (i = 0; i < smi->num_mib_counters; i++) { > + mib = &smi->mib_counters[i]; > + memcpy(data + i * ETH_GSTRING_LEN, > + mib->name, ETH_GSTRING_LEN); > + } > +} Hi Linus name is a char *. Its length is determined by its content. But you perform a memcpy of ETH_GSTRING_LEN. This can take you off the end of the string causing an out of bounds error. Either make name ETH_GSTRING_LEN long, or you strncpy(). Andrew