Re: [PATCH] net: cxgb4: avoid memcpy beyond end of source buffer
From: David Miller
Date: Fri Feb 02 2018 - 19:33:41 EST
From: Arnd Bergmann <arnd@xxxxxxxx>
Date: Fri, 2 Feb 2018 16:18:37 +0100
> Building with link-time-optimizations revealed that the cxgb4 driver does
> a fixed-size memcpy() from a variable-length constant string into the
> network interface name:
>
> In function 'memcpy',
> inlined from 'cfg_queues_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:335:2,
> inlined from 'cxgb4_register_uld.constprop' at drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c:719:9:
> include/linux/string.h:350:3: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
> __read_overflow2();
> ^
>
> I can see two equally workable solutions: either we use a strncpy() instead
> of the memcpy() to stop at the end of the input, or we make the source buffer
> fixed length as well. This implements the latter.
>
> Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx>
Not the most pleasant thing in the world, but I can't think of a better
solution.
> @@ -355,7 +355,7 @@ struct cxgb4_lld_info {
> };
>
> struct cxgb4_uld_info {
> - const char *name;
> + char name[IFNAMSIZ];
> void *handle;
> unsigned int nrxq;
> unsigned int rxq_size;
David Laight asked how this can be the sole part of the patch.
All of these structures are initialized like:
static struct cxgb4_uld_info {
.name = "foo",
...
};
So changing from "const char *" to "char []" just works.