Re: [patch 2/2] staging: r8188eu: overflow in rtw_p2p_get_go_device_address()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Am 03.02.2014 23:38, schrieb Dan Carpenter:
> The go_devadd_str[] array is two characters too small to hold the
> address so we corrupt memory.
> 
> I've changed the user space API slightly and I don't have a way to test
> if this breaks anything.  In the original code we truncated away the
> last digit of the address and the NUL terminator so it was already a bit
> broken.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> 
> diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> index dec992569476..4ad80ae1067f 100644
> --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> @@ -3164,9 +3164,7 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
>  	u8 *p2pie;
>  	uint p2pielen = 0, attr_contentlen = 0;
>  	u8 attr_content[100] = {0x00};
> -
> -	u8 go_devadd_str[17 + 10] = {0x00};
> -	/*  +10 is for the str "go_devadd =", we have to clear it at wrqu->data.pointer */
> +	u8 go_devadd_str[17 + 12] = {};


you are deleting the explanation for the magic numbers here,
- intentionally  ?

NTL, it would be nice to have a full explanation like
 10= space for  "go_devadd ="
 17= space for attr_content %.2X:%.2X:%.2X:%.2X:%.2X:%.2X
re,
 wh

>  	/*	Commented by Albert 20121209 */
>  	/*	The input data is the GO's interface address which the application wants to know its device address. */
> @@ -3223,12 +3221,12 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
>  	spin_unlock_bh(&pmlmepriv->scanned_queue.lock);
>  
>  	if (!blnMatch)
> -		sprintf(go_devadd_str, "\n\ndev_add = NULL");
> +		snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add = NULL");
>  	else
> -		sprintf(go_devadd_str, "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X",
> +		snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X",
>  			attr_content[0], attr_content[1], attr_content[2], attr_content[3], attr_content[4], attr_content[5]);
>  
> -	if (copy_to_user(wrqu->data.pointer, go_devadd_str, 10 + 17))
> +	if (copy_to_user(wrqu->data.pointer, go_devadd_str, sizeof(go_devadd_str)))
>  		return -EFAULT;
>  	return ret;
>  }
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux