Yes, you are right. I will send a new patch.
Young
On 2018/11/28 14:51, Dan Carpenter wrote:
> The original code is OK.
>
> On Wed, Nov 28, 2018 at 02:22:31AM +0000, Yang Xiao wrote:
>> From: Young Xiao <YangX92@xxxxxxxxxxx>
>>
>> In routine rtw_report_sec_ie(), the code could set the length
>> of the buffer to 256; however, that value is one larger than the
>> corresponding memory allocation.
>>
>> See commit 8b7a13c3f404 ("staging: r8712u: Fix possible
>> buffer overrun") for detail.
> This bug is from 2012... It's a real bug, but looking at things in
> retrospect we probably didn't do the right fix. The correct patch would
> be to revert 8b7a13c3f404 and change this instead:
>
> Can you send that? Do it as one patch. (Don't make it a revert commit,
> that's just a headache, make it a normal patch with a Fixes tag). The
> commit message would look something like:
>
> In commit 8b7a13c3f404 ("staging: r8712u: Fix possible buffer
> overrun") we fix a potential off by one by making the limit smaller.
> The better fix is to make the buffer larger. This makes it match up
> with the similar code in other drivers. Blah blah blah. Etc.
>
> diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c b/drivers/staging/rtl8712/rtl871x_mlme.c
> index a7374006a9fb..986a1d526918 100644
> --- a/drivers/staging/rtl8712/rtl871x_mlme.c
> +++ b/drivers/staging/rtl8712/rtl871x_mlme.c
> @@ -1346,7 +1346,7 @@ sint r8712_restruct_sec_ie(struct _adapter *adapter, u8 *in_ie,
> u8 *out_ie, uint in_len)
> {
> u8 authmode = 0, match;
> - u8 sec_ie[255], uncst_oui[4], bkup_ie[255];
> + u8 sec_ie[IW_CUSTOM_MAX], uncst_oui[4], bkup_ie[255];
> u8 wpa_oui[4] = {0x0, 0x50, 0xf2, 0x01};
> uint ielength, cnt, remove_cnt;
> int iEntry;
>
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
