hv_netvsc: Avoid field-overflowing memcpy()
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Add flexible array to represent start of buf_info, improving readability and avoid future warning where memcpy() thinks it is writing past the end of the structure. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
64a81b2448
commit
f2fcffe392
@ -1163,6 +1163,7 @@ struct rndis_set_request {
|
||||
u32 info_buflen;
|
||||
u32 info_buf_offset;
|
||||
u32 dev_vc_handle;
|
||||
u8 info_buf[];
|
||||
};
|
||||
|
||||
/* Response to NdisSetRequest */
|
||||
|
@ -1051,10 +1051,8 @@ static int rndis_filter_set_packet_filter(struct rndis_device *dev,
|
||||
set = &request->request_msg.msg.set_req;
|
||||
set->oid = RNDIS_OID_GEN_CURRENT_PACKET_FILTER;
|
||||
set->info_buflen = sizeof(u32);
|
||||
set->info_buf_offset = sizeof(struct rndis_set_request);
|
||||
|
||||
memcpy((void *)(unsigned long)set + sizeof(struct rndis_set_request),
|
||||
&new_filter, sizeof(u32));
|
||||
set->info_buf_offset = offsetof(typeof(*set), info_buf);
|
||||
memcpy(set->info_buf, &new_filter, sizeof(u32));
|
||||
|
||||
ret = rndis_filter_send_request(dev, request);
|
||||
if (ret == 0) {
|
||||
|
Loading…
Reference in New Issue
Block a user