Hi Dan,
Thanks for reporting static checker warning.
Patch has been submitted which ensures we do not copy beyond end.
Thanks,
Avinash.
________________________________________
From: Dan Carpenter [dan.carpenter@xxxxxxxxxx]
Sent: Thursday, August 28, 2014 6:53 PM
To: Avinash Patil
Cc: linux-wireless@xxxxxxxxxxxxxxx
Subject: re: mwifiex: parse TDLS action frames during RX
Hello Avinash Patil,
The patch 5f2caaf32bc6: "mwifiex: parse TDLS action frames during RX"
from Feb 7, 2014, leads to the following static checker warning:
drivers/net/wireless/mwifiex/tdls.c:873 mwifiex_process_tdls_action_frame()
error: '2 + pos[1]' from user is not capped properly
drivers/net/wireless/mwifiex/tdls.c
868 memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
869 sizeof(struct ieee_types_header) +
870 min_t(u8, pos[1], 8));
871 break;
872 case WLAN_EID_RSN:
873 memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
874 sizeof(struct ieee_types_header) + pos[1]);
The ->rsn_ie buffer is 256 bytes large.
sizeof(struct ieee_types_header) is 2.
pos[1] is a number between 0-255.
This can write 1 byte beyond the end.
875 break;
876 case WLAN_EID_QOS_CAPA:
877 sta_ptr->tdls_cap.qos_info = pos[2];
878 break;
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
