Re: [PATCH 1/2] staging: rtl8192e: Pass array value to memcpy instead of struct pointer

"Gustavo A. R. Silva" <gustavo@xxxxxxxxxxxxxx> · Sat, 20 Feb 2021 12:34:15 -0600

On 2/20/21 12:21, Atul Gopinathan wrote:
> The variable "info_element" is of the following type:
> struct rtllib_info_element *info_element
> 
> rtllib_info_element is a struct containing the following fields as
> defined in drivers/staging/rtl8192e/rtllib.h:
> 
> struct rtllib_info_element {
>         u8 id;
>         u8 len;
>         u8 data[];
> } __packed;
> 
> The following code of interest (to which this patch applies) is
> supposed to check if the "info_element->len" is greater than 4 and
> equal to 6, if this is satisfied then, the last two bytes (the
> 4th and 5th index of u8 "data" array) are copied into
> "network->CcxRmState".
> 
> Currently the code uses "memcpy()" with the source as
> "&info_element[4]" which would copy in wrong and unintended
> information.
> 
> This patch rectifies this error by using "&info_element->data[4]" which
> rightly copies the last two bytes as the required state information.

You should include a 'Fixes' tag for this.

Also, is this code in -stable? If so, then tag this patch for stable, please.

Thanks
--
Gustavo

> 
> Signed-off-by: Atul Gopinathan <atulgopinathan@xxxxxxxxx>
> ---
>  drivers/staging/rtl8192e/rtllib_rx.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/rtl8192e/rtllib_rx.c b/drivers/staging/rtl8192e/rtllib_rx.c
> index 66c135321da4..15bbb63ca130 100644
> --- a/drivers/staging/rtl8192e/rtllib_rx.c
> +++ b/drivers/staging/rtl8192e/rtllib_rx.c
> @@ -1963,15 +1963,15 @@ static void rtllib_parse_mife_generic(struct rtllib_device *ieee,
>  
>  	if (info_element->len > 4 &&
>  	    info_element->data[0] == 0x00 &&
>  	    info_element->data[1] == 0x40 &&
>  	    info_element->data[2] == 0x96 &&
>  	    info_element->data[3] == 0x01) {
>  		if (info_element->len == 6) {
> -			memcpy(network->CcxRmState, &info_element[4], 2);
> +			memcpy(network->CcxRmState, &info_element->data[4], 2);
>  			if (network->CcxRmState[0] != 0)
>  				network->bCcxRmEnable = true;
>  			else
>  				network->bCcxRmEnable = false;
>  			network->MBssidMask = network->CcxRmState[1] & 0x07;
>  			if (network->MBssidMask != 0) {
>  				network->bMBssidValid = true;
> 
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel