Re: [PATCH net] net: txgbe: fix heap overflow when reading module EEPROM
From: Jacob Keller <jacob.e.keller@intel.com>
Date: 2026-07-15 00:31:53
On 7/13/2026 1:51 AM, Chenguang Zhao wrote:
From: Chenguang Zhao <redacted> txgbe_read_eeprom_hostif() always copies round_up(length, 4) bytes into the caller buffer, which ethtool allocates with exactly 'length' bytes. A non-4-aligned length therefore causes an out-of-bounds write. Copy only the remaining bytes on the final dword instead. Signed-off-by: Chenguang Zhao <redacted> ---
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
quoted hunk ↗ jump to hunk
drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c index affea1a364ef..26d0cfc58ee2 100644 --- a/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c +++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_aml.c@@ -96,11 +96,13 @@ int txgbe_read_eeprom_hostif(struct wx *wx, dword_len = round_up(length, 4) >> 2; for (i = 0; i < dword_len; i++) { + u32 copy_len = min_t(u32, 4, length - i * 4); + value = rd32a(wx, WX_FW2SW_MBOX, i + offset); le32_to_cpus(&value); - memcpy(data, &value, 4); - data += 4; + memcpy(data, &value, copy_len); + data += copy_len; } return 0;