strcpy() performs no bounds checking on the destination buffer. This could result in linear overflows beyond the end of the buffer, leading to all kinds of misbehaviors. The safe replacement is strscpy(). Signed-off-by: Len Baker <len.baker@xxxxxxx> --- drivers/staging/ks7010/ks_wlan_net.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/staging/ks7010/ks_wlan_net.c b/drivers/staging/ks7010/ks_wlan_net.c index 09e7b4cd0138..7a38b1ceeb5c 100644 --- a/drivers/staging/ks7010/ks_wlan_net.c +++ b/drivers/staging/ks7010/ks_wlan_net.c @@ -158,13 +158,13 @@ static int ks_wlan_get_name(struct net_device *dev, /* for SLEEP MODE */ if (priv->dev_state < DEVICE_STATE_READY) - strcpy(cwrq->name, "NOT READY!"); + strscpy(cwrq->name, "NOT READY!", sizeof(cwrq->name)); else if (priv->reg.phy_type == D_11B_ONLY_MODE) - strcpy(cwrq->name, "IEEE 802.11b"); + strscpy(cwrq->name, "IEEE 802.11b", sizeof(cwrq->name)); else if (priv->reg.phy_type == D_11G_ONLY_MODE) - strcpy(cwrq->name, "IEEE 802.11g"); + strscpy(cwrq->name, "IEEE 802.11g", sizeof(cwrq->name)); else - strcpy(cwrq->name, "IEEE 802.11b/g"); + strscpy(cwrq->name, "IEEE 802.11b/g", sizeof(cwrq->name)); return 0; } @@ -1808,7 +1808,7 @@ static int ks_wlan_get_firmware_version(struct net_device *dev, { struct ks_wlan_private *priv = netdev_priv(dev); - strcpy(extra, priv->firmware_version); + strscpy(extra, priv->firmware_version, sizeof(extra)); dwrq->length = priv->version_size + 1; return 0; } -- 2.25.1