From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751997AbdEJEd0 (ORCPT ); Wed, 10 May 2017 00:33:26 -0400 Received: from smtprelay0189.hostedemail.com ([216.40.44.189]:40654 "EHLO smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751555AbdEJEdY (ORCPT ); Wed, 10 May 2017 00:33:24 -0400 X-Session-Marker: 6A6F6540706572636865732E636F6D X-Spam-Summary: 2,0,0,,d41d8cd98f00b204,joe@perches.com,:::::::::::::,RULES_HIT:41:355:379:541:599:960:973:988:989:1260:1277:1311:1313:1314:1345:1359:1373:1437:1515:1516:1518:1534:1542:1593:1594:1711:1730:1747:1777:1792:2393:2559:2562:2693:2828:3138:3139:3140:3141:3142:3353:3622:3865:3867:3870:3871:3874:4321:4470:5007:10004:10400:10848:11026:11232:11473:11657:11658:11914:12043:12296:12438:12555:12740:12760:12895:13149:13161:13229:13230:13439:14181:14659:14721:21080:21627:30054:30091,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:,MSBL:0,DNSBL:none,Custom_rules:0:0:0,LFtime:2,LUA_SUMMARY:none X-HE-Tag: move34_749c6a9739428 X-Filterd-Recvd-Size: 2911 Message-ID: <1494390797.4564.5.camel@perches.com> Subject: Re: [PATCH] libertas: Avoid reading past end of buffer From: Joe Perches To: Kees Cook , netdev@vger.kernel.org Cc: Kalle Valo , libertas-dev@lists.infradead.org, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Daniel Micay Date: Tue, 09 May 2017 21:33:17 -0700 In-Reply-To: <20170509232334.GA55070@beast> References: <20170509232334.GA55070@beast> Content-Type: text/plain; charset="ISO-8859-1" X-Mailer: Evolution 3.22.6-1ubuntu1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2017-05-09 at 16:23 -0700, Kees Cook wrote: > Using memcpy() from a string that is shorter than the length copied means > the destination buffer is being filled with arbitrary data from the kernel > rodata segment. Instead, use strncpy() which will fill the trailing bytes > with zeros. Additionally adjust indentation to keep checkpatch.pl happy. > > This was found with the future CONFIG_FORTIFY_SOURCE feature. [] > diff --git a/drivers/net/wireless/marvell/libertas/mesh.c b/drivers/net/wireless/marvell/libertas/mesh.c [] > @@ -1177,9 +1177,9 @@ void lbs_mesh_ethtool_get_strings(struct net_device *dev, > switch (stringset) { > case ETH_SS_STATS: > for (i = 0; i < MESH_STATS_NUM; i++) { > - memcpy(s + i * ETH_GSTRING_LEN, > - mesh_stat_strings[i], > - ETH_GSTRING_LEN); > + strncpy(s + i * ETH_GSTRING_LEN, > + mesh_stat_strings[i], > + ETH_GSTRING_LEN); > } The better solution is to declare mesh_stat_strings in in the normal way --- drivers/net/wireless/marvell/libertas/mesh.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/net/wireless/marvell/libertas/mesh.c b/drivers/net/wireless/marvell/libertas/mesh.c index d0c881dd5846..a535e7f48d2d 100644 --- a/drivers/net/wireless/marvell/libertas/mesh.c +++ b/drivers/net/wireless/marvell/libertas/mesh.c @@ -1108,15 +1108,15 @@ void lbs_mesh_set_txpd(struct lbs_private *priv, * Ethtool related */ -static const char * const mesh_stat_strings[] = { - "drop_duplicate_bcast", - "drop_ttl_zero", - "drop_no_fwd_route", - "drop_no_buffers", - "fwded_unicast_cnt", - "fwded_bcast_cnt", - "drop_blind_table", - "tx_failed_cnt" +static const char mesh_stat_strings[][ETH_GSTRING_LEN] = { + "drop_duplicate_bcast", + "drop_ttl_zero", + "drop_no_fwd_route", + "drop_no_buffers", + "fwded_unicast_cnt", + "fwded_bcast_cnt", + "drop_blind_table", + "tx_failed_cnt", }; void lbs_mesh_ethtool_get_stats(struct net_device *dev,