From 88e7a462f05d88bf3b782c3d06903b9cd1c19430 Mon Sep 17 00:00:00 2001
From: Benedikt Spranger <b.spranger@linutronix.de>
Date: Wed, 17 Sep 2025 11:14:17 +0200
Subject: [PATCH] drivers/mtd/ubispl/ubispl.c: limit copy size

The fastmap VID header is embedded in struct ubi_scan_info. During fastmap
scan, the header is copied into struct ubi_scan_info, if valid. The former
code mixed up the amount of copied bytes and copied more bytes than
nessesary. This had no side effect, since the affected struct members are
uninitialized at that point and overwritten later.

Limit the copied bytes to the VID header size.

Signed-off-by: Benedikt Spranger <b.spranger@linutronix.de>
Reported-by: Andrew Goodbody <andrew.goodbody@linaro.org>
---
 drivers/mtd/ubispl/ubispl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mtd/ubispl/ubispl.c b/drivers/mtd/ubispl/ubispl.c
index 9face5fae15..0143caa051d 100644
--- a/drivers/mtd/ubispl/ubispl.c
+++ b/drivers/mtd/ubispl/ubispl.c
@@ -779,7 +779,7 @@ static int ubi_scan_fastmap(struct ubi_scan_info *ubi,
 		 * that already so we merily copy it over.
 		 */
 		if (pnum == fm_anchor)
-			memcpy(vh, ubi->blockinfo + pnum, sizeof(*fm));
+			memcpy(vh, ubi->blockinfo + pnum, sizeof(*vh));
 
 		if (i == 0) {
 			if (be32_to_cpu(vh->vol_id) != UBI_FM_SB_VOLUME_ID) {
-- 
2.47.3