The original code is OK.
On Wed, Nov 28, 2018 at 02:22:31AM +0000, Yang Xiao wrote:
> From: Young Xiao <YangX92@xxxxxxxxxxx>
>
> In routine rtw_report_sec_ie(), the code could set the length
> of the buffer to 256; however, that value is one larger than the
> corresponding memory allocation.
>
> See commit 8b7a13c3f404 ("staging: r8712u: Fix possible
> buffer overrun") for detail.
This bug is from 2012... It's a real bug, but looking at things in
retrospect we probably didn't do the right fix. The correct patch would
be to revert 8b7a13c3f404 and change this instead:
Can you send that? Do it as one patch. (Don't make it a revert commit,
that's just a headache, make it a normal patch with a Fixes tag). The
commit message would look something like:
In commit 8b7a13c3f404 ("staging: r8712u: Fix possible buffer
overrun") we fix a potential off by one by making the limit smaller.
The better fix is to make the buffer larger. This makes it match up
with the similar code in other drivers. Blah blah blah. Etc.
diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c b/drivers/staging/rtl8712/rtl871x_mlme.c
index a7374006a9fb..986a1d526918 100644
--- a/drivers/staging/rtl8712/rtl871x_mlme.c
+++ b/drivers/staging/rtl8712/rtl871x_mlme.c
@@ -1346,7 +1346,7 @@ sint r8712_restruct_sec_ie(struct _adapter *adapter, u8 *in_ie,
u8 *out_ie, uint in_len)
{
u8 authmode = 0, match;
- u8 sec_ie[255], uncst_oui[4], bkup_ie[255];
+ u8 sec_ie[IW_CUSTOM_MAX], uncst_oui[4], bkup_ie[255];
u8 wpa_oui[4] = {0x0, 0x50, 0xf2, 0x01};
uint ielength, cnt, remove_cnt;
int iEntry;
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
