mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity

hv_netvsc: Avoid field-overflowing memcpy() 

In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring fields.

Add flexible array to represent start of buf_info, improving readability
and avoid future warning where memcpy() thinks it is writing past the
end of the structure.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Kees Cook 2021-06-21 15:21:12 -07:00 committed by David S. Miller
parent 64a81b2448
commit f2fcffe392
2 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
drivers/net/hyperv/hyperv_net.h
View File

@ -1163,6 +1163,7 @@ struct rndis_set_request {
u32 info_buflen;
u32 info_buf_offset;
u32 dev_vc_handle;
u8 info_buf[];
};
/* Response to NdisSetRequest */

6
drivers/net/hyperv/rndis_filter.c
View File

@ -1051,10 +1051,8 @@ static int rndis_filter_set_packet_filter(struct rndis_device *dev,
set = &request->request_msg.msg.set_req;
set->oid = RNDIS_OID_GEN_CURRENT_PACKET_FILTER;
set->info_buflen = sizeof(u32);
set->info_buf_offset = sizeof(struct rndis_set_request);
memcpy((void *)(unsigned long)set + sizeof(struct rndis_set_request),
&new_filter, sizeof(u32));
set->info_buf_offset = offsetof(typeof(*set), info_buf);
memcpy(set->info_buf, &new_filter, sizeof(u32));
ret = rndis_filter_send_request(dev, request);
if (ret == 0) {