ray_cs: Avoid reading past end of buffer
authorKees Cook <keescook@chromium.org>
Fri, 5 May 2017 22:38:41 +0000 (15:38 -0700)
committerKalle Valo <kvalo@codeaurora.org>
Mon, 22 May 2017 15:27:22 +0000 (18:27 +0300)
commite48d661eb13f2f83861428f001c567fdb3f317e8
tree3a588ae021bfe8b63c907818ca2c06510a905e34
parent0aeffa7041d84976432e903cb04e8d7b0edf31ed
ray_cs: Avoid reading past end of buffer

Using memcpy() from a buffer that is shorter than the length copied means
the destination buffer is being filled with arbitrary data from the kernel
rodata segment. In this case, the source was made longer, since it did not
match the destination structure size. Additionally removes a needless cast.

This was found with the future CONFIG_FORTIFY_SOURCE feature.

Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
drivers/net/wireless/ray_cs.c