Re: [PATCH] libertas: Avoid reading past end of buffer

From: Joe Perches
Date: Wed May 10 2017 - 19:13:06 EST

Next message: Joe Perches: "Re: [PATCH v2 05/10] usb: musb: tusb6010_omap: Do not reset the other direction's packet size"
Previous message: Joe Perches: "Re: [PATCH] libertas: Avoid reading past end of buffer"
In reply to: Kalle Valo: "Re: [PATCH] libertas: Avoid reading past end of buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2017-05-10 at 12:24 -0700, Kees Cook wrote:
> Using memcpy() from a string that is shorter than the length copied means
> the destination buffer is being filled with arbitrary data from the kernel
> rodata segment.

another bit of trivia:

> diff --git a/drivers/net/wireless/marvell/libertas/mesh.c b/drivers/net/wireless/marvell/libertas/mesh.c
[]
> @@ -1170,17 +1170,11 @@ int lbs_mesh_ethtool_get_sset_count(struct net_device *dev, int sset)
[]
> + memcpy(s, *mesh_stat_strings, sizeof(mesh_stat_strings));

That * isn't necessary.

Next message: Joe Perches: "Re: [PATCH v2 05/10] usb: musb: tusb6010_omap: Do not reset the other direction's packet size"
Previous message: Joe Perches: "Re: [PATCH] libertas: Avoid reading past end of buffer"
In reply to: Kalle Valo: "Re: [PATCH] libertas: Avoid reading past end of buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]