drivers/mtd/ubispl/ubispl.c: limit copy size

The fastmap VID header is embedded in struct ubi_scan_info. During fastmap
scan, the header is copied into struct ubi_scan_info, if valid. The former
code mixed up the amount of copied bytes and copied more bytes than
nessesary. This had no side effect, since the affected struct members are
uninitialized at that point and overwritten later.

Limit the copied bytes to the VID header size.

Signed-off-by: Benedikt Spranger <b.spranger@linutronix.de>
Reported-by: Andrew Goodbody <andrew.goodbody@linaro.org>

diff --git a/drivers/mtd/ubispl/ubispl.c b/drivers/mtd/ubispl/ubispl.c
index 9face5fae15a90c75353bfeca9a2cd88075525bf..0143caa051d412fa7b89589d37f7924710eb283e 100644 (file)
--- a/drivers/mtd/ubispl/ubispl.c
+++ b/drivers/mtd/ubispl/ubispl.c
@@ -779,7 +779,7 @@ static int ubi_scan_fastmap(struct ubi_scan_info *ubi,
                 * that already so we merily copy it over.
                 */
                if (pnum == fm_anchor)
-                       memcpy(vh, ubi->blockinfo + pnum, sizeof(*fm));
+                       memcpy(vh, ubi->blockinfo + pnum, sizeof(*vh));
 
                if (i == 0) {
                        if (be32_to_cpu(vh->vol_id) != UBI_FM_SB_VOLUME_ID) {