libertas: Avoid reading past end of buffer
authorKees Cook <keescook@chromium.org>
Mon, 15 May 2017 21:26:40 +0000 (14:26 -0700)
committerKalle Valo <kvalo@codeaurora.org>
Wed, 24 May 2017 13:43:54 +0000 (16:43 +0300)
commit12e3c0433e8a3b817fbb978a1be973a04cd5d6f3
tree6ddfbf4843743a8965eda6b22f203693378baaa5
parent438f3d13da5e0714f1add1652865b864a2c36eb7
libertas: Avoid reading past end of buffer

Using memcpy() from a string that is shorter than the length copied means
the destination buffer is being filled with arbitrary data from the kernel
rodata segment. Instead, redefine the stat strings to be ETH_GSTRING_LEN
sizes, like other drivers. This lets us use a single memcpy that does not
leak rodata contents. Additionally adjust indentation to keep checkpatch.pl
happy.

This was found with the future CONFIG_FORTIFY_SOURCE feature.

Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
drivers/net/wireless/marvell/libertas/mesh.c