When building with -Warray-bounds, the following warning is emitted: In file included from ./include/linux/string.h:253, from ./arch/x86/include/asm/page_32.h:22, from ./arch/x86/include/asm/page.h:14, from ./arch/x86/include/asm/thread_info.h:12, from ./include/linux/thread_info.h:60, from ./arch/x86/include/asm/preempt.h:7, from ./include/linux/preempt.h:78, from ./include/linux/rcupdate.h:27, from ./include/linux/rculist.h:11, from ./include/linux/sched/signal.h:5, from ./drivers/staging/rtl8723bs/include/drv_types.h:17, from drivers/staging/rtl8723bs/core/rtw_recv.c:7: In function 'memcpy', inlined from 'wlanhdr_to_ethhdr' at drivers/staging/rtl8723bs/core/rtw_recv.c:1554:2: ./include/linux/fortify-string.h:41:33: warning: '__builtin_memcpy' offset [0, 5] is out of the bounds [0, 0] [-Warray-bounds] 41 | #define __underlying_memcpy __builtin_memcpy | ^ This is because the compiler sees it is possible for "ptr" to be a NULL value, and concludes that it has zero size and attempts to copy to it would overflow. Instead, detect the NULL return and error out early. Cc: Larry Finger <Larry.Finger@xxxxxxxxxxxx> Cc: Phillip Potter <phil@xxxxxxxxxxxxxxxx> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Cc: Michael Straube <straube.linux@xxxxxxxxx> Cc: Fabio Aiuto <fabioaiuto83@xxxxxxxxx> Cc: linux-staging@xxxxxxxxxxxxxxx Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> --- drivers/staging/rtl8723bs/core/rtw_recv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c index 41bfca549c64..61135c49322b 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -1513,6 +1513,9 @@ static signed int wlanhdr_to_ethhdr(union recv_frame *precvframe) u8 *ptr = get_recvframe_data(precvframe) ; /* point to frame_ctrl field */ struct rx_pkt_attrib *pattrib = &precvframe->u.hdr.attrib; + if (!ptr) + return _FAIL; + if (pattrib->encrypt) recvframe_pull_tail(precvframe, pattrib->icv_len); -- 2.30.2