On Tue, Aug 24, 2021 at 10:27:27AM +0300, Pavel Skripkin wrote:
> @@ -83,7 +83,12 @@ int proc_get_read_reg(char *page, char **start,
>
> switch (proc_get_read_len) {
> case 1:
> - len += snprintf(page + len, count - len, "rtw_read8(0x%x)=0x%x\n", proc_get_read_addr, rtw_read8(padapter, proc_get_read_addr));
> + error = rtw_read8(padapter, proc_get_read_addr, (u8 *) &tmp);
> + if (error)
> + return len;
> +
> + len += snprintf(page + len, count - len, "rtw_read8(0x%x)=0x%x\n",
> + proc_get_read_addr, (u8) tmp);
> break;
Oh my goodness... :P
If you look at what proc_get_read_addr is, it turns out it's a 32bit
address which is controlled by the user in proc_set_read_reg(). LOL!
Just a giant security hole.
My advise is just delete this dead code. No one is using it so how
necessary can it be?
regards,
dan carpenter
