From: Chenguang Zhao <redacted>
txgbe_read_eeprom_hostif() always copies round_up(length, 4) bytes
into the caller buffer, which ethtool allocates with exactly 'length'
bytes. A non-4-aligned length therefore causes an out-of-bounds write.
Copy only the remaining bytes on the final dword instead.
Signed-off-by: Chenguang Zhao <redacted>
---
drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
index affea1a364ef..26d0cfc58ee2 100644
--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
+++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c
@@ -96,11 +96,13 @@ int txgbe_read_eeprom_hostif(struct wx *wx,
dword_len = round_up(length, 4) >> 2;
for (i = 0; i < dword_len; i++) {
+ u32 copy_len = min_t(u32, 4, length - i * 4);
+
value = rd32a(wx, WX_FW2SW_MBOX, i + offset);
le32_to_cpus(&value);
- memcpy(data, &value, 4);
- data += 4;
+ memcpy(data, &value, copy_len);
+ data += copy_len;
}
return 0;--
2.25.1