On Wed, Apr 20, 2022 at 07:23:28AM -0500, Rebecca Mckeever wrote: > Currently, these three get_key functions return -1 when the provided len > value is less a specific key length value, which can result in buffer > overflow depending on how the returned value is used. These functions are > used in three places in ieee80211/ieee80211_wx.c: > > ieee80211_wx_get_encode() : > The behavior of this function will be unchanged. > > ieee80211_wx_get_encode_ext() : > The result of the get_key function is written to ext->key_len, > resulting in a buffer overflow if the result is negative. > > ieee80211_wx_set_encode() : > The behavior of this function will change. When len is less than the > key length value, it will set a default key of all 0. > > Suggested-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > Signed-off-by: Rebecca Mckeever <remckee0@xxxxxxxxx> Of course I suggested this one, but reviewing it again it still seems like the right thing. Good commit message. It explains the controversial bit nicely which is the behavior change in ieee80211_wx_set_encode(). When you explain the all controversial bits in advance then it builds trust. regards, dan carpenter
