> +struct rtl8366_mib_counter {
> + unsigned base;
> + unsigned offset;
> + unsigned length;
> + const char *name;
> +};
> +void rtl8366_get_strings(struct dsa_switch *ds, int port, uint8_t *data)
> +{
> + struct realtek_smi *smi = ds->priv;
> + struct rtl8366_mib_counter *mib;
> + int i;
> +
> + if (port >= smi->num_ports)
> + return;
> +
> + for (i = 0; i < smi->num_mib_counters; i++) {
> + mib = &smi->mib_counters[i];
> + memcpy(data + i * ETH_GSTRING_LEN,
> + mib->name, ETH_GSTRING_LEN);
> + }
> +}
Hi Linus
name is a char *. Its length is determined by its content. But you
perform a memcpy of ETH_GSTRING_LEN. This can take you off the end of
the string causing an out of bounds error. Either make name
ETH_GSTRING_LEN long, or you strncpy().
Andrew
