This fix addresses CVE-2019-14901 > 在 2019年11月22日,下午10:27,qize wang <wangqize888888888@xxxxxxxxx> 写道: > > Hi, dan > > I forget to explain the reason of changing "pos" to "pos + 2” in the commit message. > Thank you for your suggestion. > IE is TLV struct, but ht_cap and ht_oper aren’t TLV struct,the origin marvell driver code is wrong. > we fix the bug by changing pos(the address of IE) to pos+2 ( the address of IE’s value ). > > regards, > qize wang > >> 在 2019年11月22日,下午8:37,Dan Carpenter <dan.carpenter@xxxxxxxxxx> 写道: >> >> On Fri, Nov 22, 2019 at 11:40:40AM +0000, Ganapathi Bhat wrote: >>> Hi Dan, >>> >>>>> + /* copy the ie's value into ht_capb*/ >>>>> + memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2, >>>> ^^^^^^^ >>>> >>>> I don't understand why we changed "pos" to "pos + 2". Presumably there is >>>> a reason, but it needs to explained in the commit message. >>> >>> I think, we were doing wrong in the original code. We are supposed to use 'pos + 2' itself, instead of just 'pos'. This is because, 'pos' is pointing to 'ieee_types_header', followed by the actual data and the destination do not start with (i.e. it do not contain) 'ieee_types_header'(ex: 'sta_ptr->tdls_cap.ht_oper'). >>> >>> Also, there are few places were the destination starts with 'ieee_types_header'(ex: 'sta_ptr->tdls_cap.extcap'), which need just 'pos'. >> >> I assumed it was something like this but it needs to be explained in >> the commit message. >> >> regards, >> dan carpenter >> >
