Le 20/08/2024 à 20:42, Abhishek Tamboli a écrit :
Replace strcpy() with strscpy() in rtl819x_translate_scan()
function to ensure buffer safety.
Signed-off-by: Abhishek Tamboli <abhishektamboli9@xxxxxxxxx>
---
drivers/staging/rtl8192e/rtllib_wx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8192e/rtllib_wx.c b/drivers/staging/rtl8192e/rtllib_wx.c
index fbd4ec824084..970b7fcb3f7e 100644
--- a/drivers/staging/rtl8192e/rtllib_wx.c
+++ b/drivers/staging/rtl8192e/rtllib_wx.c
@@ -61,7 +61,7 @@ static inline char *rtl819x_translate_scan(struct rtllib_device *ieee,
iwe.cmd = SIOCGIWNAME;
for (i = 0; i < ARRAY_SIZE(rtllib_modes); i++) {
if (network->mode & BIT(i)) {
- strcpy(pname, rtllib_modes[i]);
+ strscpy(pname, rtllib_modes[i], sizeof(pname));
This not correct.
sizeof(pname) is 4 here, but the buffer that is really used is "char
proto_name[6];"
6 chars are needed for storing "N-24G" (see rtllib_modes), so 5 chars +
ending \0.
When you will send a v2, here are a few others things you could give a
look at:
- is 'pname' really needed or is 'proto_name' enough?
- what about the "*pname = '\0';" after the loop?
- if a "mode" matches, do we need to iterate the whole rtllib_modes
array? (have a look at wireless_mode)
CJ
pname += strlen(rtllib_modes[i]);
}
}
--
2.34.1
