From: Fix mt7925e Buffer Overflow Fix strnlen buffer overflow detected in the mt76_connac2_load_patch() function when loading firmware for MediaTek MT7925 WiFi chipset on kernel 6.19.0-rc1. The issue is in line 3128 where dev_info() uses format specifier %.16s on a 16-byte buffer (mt76_connac2_patch_hdr.build_date[16]), which can cause the fortified strnlen to read beyond buffer bounds if the string is not properly null-terminated within the buffer. The fix changes the format specifier from %.16s to %.15s, consistent with the similar mt76_connac2_fw_trailer structure which has a 15-byte build_date field and uses %.15s format in mt76_connac2_load_ram(). Error message fixed: strnlen: detected buffer overflow: 17 byte read of buffer size 16 kernel BUG at lib/string_helpers.c:1043! Kernel: 6.19.0-rc1-1-cachyos-rc Device: MediaTek MT7925 (mt7925e driver) Fixes: regression in 6.19.0-rc1 (works in 6.18.2) Reported-by: CachyOS Bug Report --- mt76_connac_mcu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mt76_connac_mcu.c b/mt76_connac_mcu.c index fba7025f..c284ad7f 100644 --- a/mt76_connac_mcu.c +++ b/mt76_connac_mcu.c @@ -3124,7 +3124,7 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name) } hdr = (const void *)fw->data; - dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n", + dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.15s\n", be32_to_cpu(hdr->hw_sw_ver), hdr->build_date); for (i = 0; i < be32_to_cpu(hdr->desc.n_region); i++) { -- 2.40.0