Re: [patch] brcmfmac: use kcalloc() to prevent integer overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Speaking of integer overflows, I had a couple other concerns in this
file.

drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c brcmf_enq_event()
  4144          total_len = sizeof(struct brcmf_cfg80211_event_q);
  4145          if (data)
  4146                  data_len = be32_to_cpu(msg->datalen);
  4147          else
  4148                  data_len = 0;
  4149          total_len += data_len;
                ^^^^^^^^^^^^^^^^^^^^^
This looks very suspicious like a remote exploitable overflow.

  4150          e = kzalloc(total_len, GFP_ATOMIC);

drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c brcmf_run_escan()
   882          if (request != NULL) {
   883                  /* Allocate space for populating ssids in struct */
   884                  params_size += sizeof(u32) * ((request->n_channels + 1) / 2);
   885  
   886                  /* Allocate space for populating ssids in struct */
   887                  params_size += sizeof(struct brcmf_ssid) * request->n_ssids;
   888          }
   889  
   890          params = kzalloc(params_size, GFP_KERNEL);

I didn't track back where request comes from so I don't know if
that's a problem or not.  I figured you would know better than I
would.

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux