[PATCH] mac80211: Recast pointer for trailing memcpy()

Kees Cook <keescook@xxxxxxxxxxxx> · Wed, 16 Jun 2021 21:27:09 -0700

In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring array fields.

Give memcpy() a specific source pointer type so it can correctly
calculate the bounds of the copy.

Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
 net/mac80211/rx.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index af0ef456eb0f..cb141bb788a8 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -559,6 +559,8 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
 
 	if (status->encoding == RX_ENC_HE &&
 	    status->flag & RX_FLAG_RADIOTAP_HE) {
+		struct ieee80211_radiotap_he *he_ptr;
+
 #define HE_PREP(f, val)	le16_encode_bits(val, IEEE80211_RADIOTAP_HE_##f)
 
 		if (status->enc_flags & RX_ENC_FLAG_STBC_MASK) {
@@ -626,18 +628,22 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
 		while ((pos - (u8 *)rthdr) & 1)
 			pos++;
 		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_HE);
-		memcpy(pos, &he, sizeof(he));
-		pos += sizeof(he);
+		he_ptr = (void *)pos;
+		memcpy(he_ptr, &he, sizeof(he));
+		pos += sizeof(*he_ptr);
 	}
 
 	if (status->encoding == RX_ENC_HE &&
 	    status->flag & RX_FLAG_RADIOTAP_HE_MU) {
+		struct ieee80211_radiotap_he_mu *he_mu_ptr;
+
 		/* ensure 2 byte alignment */
 		while ((pos - (u8 *)rthdr) & 1)
 			pos++;
 		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_HE_MU);
-		memcpy(pos, &he_mu, sizeof(he_mu));
-		pos += sizeof(he_mu);
+		he_mu_ptr = (void *)pos;
+		memcpy(he_mu_ptr, &he_mu, sizeof(he_mu));
+		pos += sizeof(*he_mu_ptr);
 	}
 
 	if (status->flag & RX_FLAG_NO_PSDU) {
@@ -647,12 +653,14 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
 	}
 
 	if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
+		struct ieee80211_radiotap_lsig *lsig_ptr;
 		/* ensure 2 byte alignment */
 		while ((pos - (u8 *)rthdr) & 1)
 			pos++;
 		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_LSIG);
-		memcpy(pos, &lsig, sizeof(lsig));
-		pos += sizeof(lsig);
+		lsig_ptr = (void *)pos;
+		memcpy(lsig_ptr, &lsig, sizeof(lsig));
+		pos += sizeof(*lsig_ptr);
 	}
 
 	for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
-- 
2.25.1







