Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5c1683b5 authored by Daniel Micay's avatar Daniel Micay Committed by Olav Haugan
Browse files

staging/rts5208: Fix read overflow in memcpy 



Noticed by FORTIFY_SOURCE, this swaps memcpy() for strncpy() to zero-value
fill the end of the buffer instead of over-reading a string from .rodata.

Change-Id: I3609e53fc3536b5c95af661a8e1622a32ef9218b
Signed-off-by: default avatarDaniel Micay <danielmicay@gmail.com>
[kees: wrote commit log]
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Wayne Porter <wporter82@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 88a5b39b69ab1828fd4130e2baadd184109cea69
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


Signed-off-by: default avatarOlav Haugan <ohaugan@codeaurora.org>
parent baedb247

drivers/staging/rts5208/rtsx_scsi.c

+1 −1
Original line number Diff line number Diff line
@@ -536,7 +536,7 @@ static int inquiry(struct scsi_cmnd *srb, struct rtsx_chip *chip) 


	if (sendbytes > 8) {

		memcpy(buf, inquiry_buf, 8);

		memcpy(buf + 8, inquiry_string,	sendbytes - 8);

		strncpy(buf + 8, inquiry_string, sendbytes - 8);

		if (pro_formatter_flag) {

			/* Additional Length */

			buf[4] = 0x33;