Hello Avinash Patil, The patch 5f2caaf32bc6: "mwifiex: parse TDLS action frames during RX" from Feb 7, 2014, leads to the following static checker warning: drivers/net/wireless/mwifiex/tdls.c:873 mwifiex_process_tdls_action_frame() error: '2 + pos[1]' from user is not capped properly drivers/net/wireless/mwifiex/tdls.c 868 memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos, 869 sizeof(struct ieee_types_header) + 870 min_t(u8, pos[1], 8)); 871 break; 872 case WLAN_EID_RSN: 873 memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos, 874 sizeof(struct ieee_types_header) + pos[1]); The ->rsn_ie buffer is 256 bytes large. sizeof(struct ieee_types_header) is 2. pos[1] is a number between 0-255. This can write 1 byte beyond the end. 875 break; 876 case WLAN_EID_QOS_CAPA: 877 sta_ptr->tdls_cap.qos_info = pos[2]; 878 break; regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
