Commit f804a5895eba ("wifi: mt76: Strip whitespace from build ddate") introduced a kernel panic/WARN on systems using MediaTek MT7921e (and potentially others using mt76_connac_lib) due to an incorrect buffer size calculation. The error logged is: "strnlen: detected buffer overflow: 17 byte read of buffer size 16" This occurs because the field 'hdr->build_date' is a fixed-size array of 16 bytes. The patch allocated a 17-byte local buffer 'build_date' but used 'sizeof(build_date)' (17) as the read limit for strscpy, causing Fortify Source to correctly detect an attempt to read 17 bytes from the 16-byte source field. To fix this, replace strscpy with memcpy, which is appropriate for raw data copying, and explicitly use the size of the source field (sizeof(hdr->build_date) = 16) to limit the read, followed by manual null termination. Fixes: f804a5895eba ("wifi: mt76: Strip whitespace from build ddate") Signed-off-by: Mikhail Gavrilov --- drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c index ea99167765b0..d2c4c65ec464 100644 --- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c @@ -3125,8 +3125,11 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name) } hdr = (const void *)fw->data; - strscpy(build_date, hdr->build_date, sizeof(build_date)); - build_date[16] = '\0'; + /* hdr->build_date is 16 bytes. Copy exactly 16 bytes to the 17-byte buffer, + * and then add the null terminator at index 16. + */ + memcpy(build_date, hdr->build_date, sizeof(hdr->build_date)); + build_date[sizeof(hdr->build_date)] = '\0'; strim(build_date); dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n", be32_to_cpu(hdr->hw_sw_ver), build_date); -- 2.52.0