The original code is OK. On Wed, Nov 28, 2018 at 02:22:31AM +0000, Yang Xiao wrote: > From: Young Xiao <YangX92@xxxxxxxxxxx> > > In routine rtw_report_sec_ie(), the code could set the length > of the buffer to 256; however, that value is one larger than the > corresponding memory allocation. > > See commit 8b7a13c3f404 ("staging: r8712u: Fix possible > buffer overrun") for detail. This bug is from 2012... It's a real bug, but looking at things in retrospect we probably didn't do the right fix. The correct patch would be to revert 8b7a13c3f404 and change this instead: Can you send that? Do it as one patch. (Don't make it a revert commit, that's just a headache, make it a normal patch with a Fixes tag). The commit message would look something like: In commit 8b7a13c3f404 ("staging: r8712u: Fix possible buffer overrun") we fix a potential off by one by making the limit smaller. The better fix is to make the buffer larger. This makes it match up with the similar code in other drivers. Blah blah blah. Etc. diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c b/drivers/staging/rtl8712/rtl871x_mlme.c index a7374006a9fb..986a1d526918 100644 --- a/drivers/staging/rtl8712/rtl871x_mlme.c +++ b/drivers/staging/rtl8712/rtl871x_mlme.c @@ -1346,7 +1346,7 @@ sint r8712_restruct_sec_ie(struct _adapter *adapter, u8 *in_ie, u8 *out_ie, uint in_len) { u8 authmode = 0, match; - u8 sec_ie[255], uncst_oui[4], bkup_ie[255]; + u8 sec_ie[IW_CUSTOM_MAX], uncst_oui[4], bkup_ie[255]; u8 wpa_oui[4] = {0x0, 0x50, 0xf2, 0x01}; uint ielength, cnt, remove_cnt; int iEntry; _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel