• Kees Cook's avatar
    libertas: Avoid reading past end of buffer · 12e3c043
    Kees Cook authored
    Using memcpy() from a string that is shorter than the length copied means
    the destination buffer is being filled with arbitrary data from the kernel
    rodata segment. Instead, redefine the stat strings to be ETH_GSTRING_LEN
    sizes, like other drivers. This lets us use a single memcpy that does not
    leak rodata contents. Additionally adjust indentation to keep checkpatch.pl
    happy.
    
    This was found with the future CONFIG_FORTIFY_SOURCE feature.
    
    Cc: Daniel Micay <danielmicay@gmail.com>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
    12e3c043
mesh.c 29.9 KB