From cb3673798b85007a7c08f52433035379348bee26 Mon Sep 17 00:00:00 2001 From: Arun Kumar Neelakantam Date: Thu, 29 Mar 2018 20:10:02 +0530 Subject: [PATCH] net: ipc_router: Fix buffer overflow during memcpy The increment logic of u64 pointer in skb_copy_to_log_buf() leads to buffer overflow. Modify the proto type of skb_copy_to_log_buf() function to accept only unsigned char pointer. CRs-Fixed: 2212592 Change-Id: I8affff1316656c1060ec57f2fb10b46f85314358 Signed-off-by: Arun Kumar Neelakantam --- net/ipc_router/ipc_router_core.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/ipc_router/ipc_router_core.c b/net/ipc_router/ipc_router_core.c index 09e02d4d841d..3331b461239b 100644 --- a/net/ipc_router/ipc_router_core.c +++ b/net/ipc_router/ipc_router_core.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2011-2016, 2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -217,7 +217,7 @@ static void init_routing_table(void) */ static void skb_copy_to_log_buf(struct sk_buff_head *skb_head, unsigned int pl_len, unsigned int hdr_offset, - uint64_t *log_buf) + unsigned char *log_buf) { struct sk_buff *temp_skb; unsigned int copied_len = 0, copy_len = 0; @@ -297,7 +297,8 @@ static void ipc_router_log_msg(void *log_ctx, uint32_t xchng_type, else if (hdr->version == IPC_ROUTER_V2) hdr_offset = sizeof(struct rr_header_v2); } - skb_copy_to_log_buf(skb_head, buf_len, hdr_offset, &pl_buf); + skb_copy_to_log_buf(skb_head, buf_len, hdr_offset, + (unsigned char *)&pl_buf); if (port_ptr && rport_ptr && (port_ptr->type == CLIENT_PORT) && (rport_ptr->server != NULL)) {