From: Arnd Bergmann Date: Fri, 2 Feb 2018 15:18:37 +0000 (+0100) Subject: net: cxgb4: avoid memcpy beyond end of source buffer X-Git-Tag: v4.19~1663^2~4 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=1a91649fd35ff53a646981e212496f1ae92a8487;p=platform%2Fkernel%2Flinux-rpi3.git net: cxgb4: avoid memcpy beyond end of source buffer Building with link-time-optimizations revealed that the cxgb4 driver does a fixed-size memcpy() from a variable-length constant string into the network interface name: In function 'memcpy', inlined from 'cfg_queues_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:335:2, inlined from 'cxgb4_register_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:719:9: include/linux/string.h:350:3: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter __read_overflow2(); ^ I can see two equally workable solutions: either we use a strncpy() instead of the memcpy() to stop at the end of the input, or we make the source buffer fixed length as well. This implements the latter. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller --- diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h index 1d37672..a14e8db 100644 --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h @@ -355,7 +355,7 @@ struct cxgb4_lld_info { }; struct cxgb4_uld_info { - const char *name; + char name[IFNAMSIZ]; void *handle; unsigned int nrxq; unsigned int rxq_size;