Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memcpy(), memmove(), and memset(), avoid
> intentionally writing across neighboring fields.
>
> libipw_read_qos_param_element() copies a struct libipw_info_element
> into a struct libipw_qos_information_element, but is actually wanting to
> copy into the larger struct libipw_qos_parameter_info (the contents of
> ac_params_record[] is later examined). Refactor the routine to perform
> centralized checks, and copy the entire contents directly (since the id
> and len members match the elementID and length members):
>
> struct libipw_info_element {
> u8 id;
> u8 len;
> u8 data[];
> } __packed;
>
> struct libipw_qos_information_element {
> u8 elementID;
> u8 length;
> u8 qui[QOS_OUI_LEN];
> u8 qui_type;
> u8 qui_subtype;
> u8 version;
> u8 ac_info;
> } __packed;
>
> struct libipw_qos_parameter_info {
> struct libipw_qos_information_element info_element;
> u8 reserved;
> struct libipw_qos_ac_parameter ac_params_record[QOS_QUEUE_NUM];
> } __packed;
>
> Cc: Stanislav Yakovlev <stas.yakovlev@xxxxxxxxx>
> Cc: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
> Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
> Cc: Jakub Kicinski <kuba@xxxxxxxxxx>
> Cc: linux-wireless@xxxxxxxxxxxxxxx
> Cc: netdev@xxxxxxxxxxxxxxx
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
2 patches applied to wireless-drivers-next.git, thanks.
d6b6d1bb80be ipw2x00: Avoid field-overflowing memcpy()
92276c592a6b ray_cs: Split memcpy() to avoid bounds check warning
--
https://patchwork.kernel.org/project/linux-wireless/patch/20210819202825.3545692-2-keescook@xxxxxxxxxxxx/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
