[PATCH] bna: ethtool: Avoid reading past end of buffer - Linux-stable-mirror

9 Nov 2018

Hello,
Please picked up this patch for linux 4.4 and 4.9.
Compiled/tested without problem.
Thank.
[ Upstream commit 4dc69c1c1fff2f587f8e737e70b4a4e7565a5c94 ]
From: Kees Cook keescook@chromium.org
Date: Fri, 5 May 2017 15:30:23 -0700
Subject: [PATCH] bna: ethtool: Avoid reading past end of buffer
Using memcpy() from a string that is shorter than the length copied means
the destination buffer is being filled with arbitrary data from the kernel
rodata segment. Instead, use strncpy() which will fill the trailing bytes
with zeros.
This was found with the future CONFIG_FORTIFY_SOURCE feature.
Cc: Daniel Micay danielmicay@gmail.com
Signed-off-by: Kees Cook keescook@chromium.org
Signed-off-by: David S. Miller davem@davemloft.net
---
 drivers/net/ethernet/brocade/bna/bnad_ethtool.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
index 286593922139e..31032de5843b1 100644
--- a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
+++ b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
@@ -547,8 +547,8 @@ bnad_get_strings(struct net_device *netdev, u32 stringset, u8 *string)
    	for (i = 0; i < BNAD_ETHTOOL_STATS_NUM; i++) {
    		BUG_ON(!(strlen(bnad_net_stats_strings[i]) <
    			   ETH_GSTRING_LEN));
-			memcpy(string, bnad_net_stats_strings[i],
-			       ETH_GSTRING_LEN);
+			strncpy(string, bnad_net_stats_strings[i],
+				ETH_GSTRING_LEN);
    		string += ETH_GSTRING_LEN;
    	}
    	bmap = bna_tx_rid_mask(&bnad->bna);

    