On Mon, Oct 26, 2015 at 08:41:06PM +0700, Ivan Safonov wrote: > On 10/26/2015 04:06 PM, Dan Carpenter wrote: > >On Sat, Oct 24, 2015 at 08:42:29PM +0700, Ivan Safonov wrote: > >>diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c > >>index 98bdc95..735e24b 100644 > >>--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c > >>+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c > >>@@ -2669,7 +2669,7 @@ static int rtw_get_sta_wpaie(struct net_device *dev, struct ieee_param *param) > >> int copy_len; > >> wpa_ie_len = psta->wpa_ie[1]; > >>- copy_len = ((wpa_ie_len+2) > sizeof(psta->wpa_ie)) ? (sizeof(psta->wpa_ie)) : (wpa_ie_len+2); > >>+ copy_len = min(wpa_ie_len + 2, (int)sizeof(psta->wpa_ie)); > >> param->u.wpa_ie.len = copy_len; > >> memcpy(param->u.wpa_ie.reserved, psta->wpa_ie, copy_len); > > > >In the original code if "wpa_ie_len + 2" was negative then copy_len is > >sizeof(psta->wpa_ie), but in the new code copy_len is a negative > >number and the memcpy() will corrupt memory and crash the system. > > > >regards, > >dan carpenter > > It is quite unexpected for me. > > I proceeded from the assumption that psta->wpa_ie[1] is u8 and > wpa_ie_len (and wpa_ie_len + 2) is always greater than zero and less > then INT_MAX. > Ah. Yes. You're right. psta->wpa_ie[] is u8. My mistake. Sorry for that. regards, dan carpenter _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
