Re: [PATCH] staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Mar 05, 2021 at 03:00:14PM +0000, Lee wrote:
> 
> Hi Dan,
> 
> Do you think any of these could be potential issues:
> 
> driver/staging/
> 
> rtl8192e/rtllib_rx.c:2442

	memcpy(dst->ssid, src->ssid, src->ssid_len);

Smatch says that at this point we know "src->ssid_len" is in the 1-32
range.  This is without any fixes to how Smatch parses nl_len().

> wlan-ng/cfg80211.c:316

   313          if (request->n_ssids > 0) {
   314                  msg1.scantype.data = P80211ENUM_scantype_active;
   315                  msg1.ssid.data.len = request->ssids->ssid_len;
   316                  memcpy(msg1.ssid.data.data,
   317                         request->ssids->ssid, request->ssids->ssid_len);
   318          } else {

The only thing Smatch knows about "request->ssids->ssid_len" is that
it's 0-255.  I had not marked "msg1.ssid.data.data" as a protected
struct member so it didn't generate a warning.

I think cfg80211_scan_request structs are filled out in a systematic
way in ieee80211_request_ibss_scan() and they're bounds checked properly
so this isn't a bug.

> rtl8723bs/os_dep/ioctl_cfg80211.c:1591
> rtl8723bs/os_dep/ioctl_cfg80211.c:2738

Same.

regards,
dan carpenter

_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel



[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux