Message ID | 20210621222112.1749650-1-keescook@chromium.org |
---|---|
State | New |
Headers | show |
Series | hv_netvsc: Avoid field-overflowing memcpy() | expand |
Hello: This patch was applied to netdev/net-next.git (refs/heads/master): On Mon, 21 Jun 2021 15:21:12 -0700 you wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memcpy(), memmove(), and memset(), avoid > intentionally writing across neighboring fields. > > Add flexible array to represent start of buf_info, improving readability > and avoid future warning where memcpy() thinks it is writing past the > end of the structure. > > [...] Here is the summary with links: - hv_netvsc: Avoid field-overflowing memcpy() https://git.kernel.org/netdev/net-next/c/f2fcffe392c1 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h index b11aa68b44ec..bc48855dff10 100644 --- a/drivers/net/hyperv/hyperv_net.h +++ b/drivers/net/hyperv/hyperv_net.h @@ -1170,6 +1170,7 @@ struct rndis_set_request { u32 info_buflen; u32 info_buf_offset; u32 dev_vc_handle; + u8 info_buf[]; }; /* Response to NdisSetRequest */ diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c index 983bf362466a..f6c9c2a670f9 100644 --- a/drivers/net/hyperv/rndis_filter.c +++ b/drivers/net/hyperv/rndis_filter.c @@ -1051,10 +1051,8 @@ static int rndis_filter_set_packet_filter(struct rndis_device *dev, set = &request->request_msg.msg.set_req; set->oid = RNDIS_OID_GEN_CURRENT_PACKET_FILTER; set->info_buflen = sizeof(u32); - set->info_buf_offset = sizeof(struct rndis_set_request); - - memcpy((void *)(unsigned long)set + sizeof(struct rndis_set_request), - &new_filter, sizeof(u32)); + set->info_buf_offset = offsetof(typeof(*set), info_buf); + memcpy(set->info_buf, &new_filter, sizeof(u32)); ret = rndis_filter_send_request(dev, request); if (ret == 0) {
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Add flexible array to represent start of buf_info, improving readability and avoid future warning where memcpy() thinks it is writing past the end of the structure. Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/net/hyperv/hyperv_net.h | 1 + drivers/net/hyperv/rndis_filter.c | 6 ++---- 2 files changed, 3 insertions(+), 4 deletions(-)