From: Dan Carpenter <dan.carpenter@oracle.com>
To: Brett Rudley <brudley@broadcom.com>
Cc: Roland Vossen <rvossen@broadcom.com>,
Arend van Spriel <arend@broadcom.com>,
"Franky (Zhenhui) Lin" <frankyl@broadcom.com>,
Kan Yan <kanyan@broadcom.com>,
"John W. Linville" <linville@tuxdriver.com>,
Hante Meuleman <meuleman@broadcom.com>,
linux-wireless@vger.kernel.org, brcm80211-dev-list@broadcom.com,
kernel-janitors@vger.kernel.org
Subject: Re: [patch] brcmfmac: use kcalloc() to prevent integer overflow
Date: Wed, 26 Sep 2012 07:31:43 +0000 [thread overview]
Message-ID: <20120926073143.GO13767@mwanda> (raw)
In-Reply-To: <20120926072148.GA3956@elgon.mountain>
Speaking of integer overflows, I had a couple other concerns in this
file.
drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c brcmf_enq_event()
4144 total_len = sizeof(struct brcmf_cfg80211_event_q);
4145 if (data)
4146 data_len = be32_to_cpu(msg->datalen);
4147 else
4148 data_len = 0;
4149 total_len += data_len;
^^^^^^^^^^^^^^^^^^^^^
This looks very suspicious like a remote exploitable overflow.
4150 e = kzalloc(total_len, GFP_ATOMIC);
drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c brcmf_run_escan()
882 if (request != NULL) {
883 /* Allocate space for populating ssids in struct */
884 params_size += sizeof(u32) * ((request->n_channels + 1) / 2);
885
886 /* Allocate space for populating ssids in struct */
887 params_size += sizeof(struct brcmf_ssid) * request->n_ssids;
888 }
889
890 params = kzalloc(params_size, GFP_KERNEL);
I didn't track back where request comes from so I don't know if
that's a problem or not. I figured you would know better than I
would.
regards,
dan carpenter
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Brett Rudley <brudley@broadcom.com>
Cc: Roland Vossen <rvossen@broadcom.com>,
Arend van Spriel <arend@broadcom.com>,
"Franky (Zhenhui) Lin" <frankyl@broadcom.com>,
Kan Yan <kanyan@broadcom.com>,
"John W. Linville" <linville@tuxdriver.com>,
Hante Meuleman <meuleman@broadcom.com>,
linux-wireless@vger.kernel.org, brcm80211-dev-list@broadcom.com,
kernel-janitors@vger.kernel.org
Subject: Re: [patch] brcmfmac: use kcalloc() to prevent integer overflow
Date: Wed, 26 Sep 2012 10:31:43 +0300 [thread overview]
Message-ID: <20120926073143.GO13767@mwanda> (raw)
In-Reply-To: <20120926072148.GA3956@elgon.mountain>
Speaking of integer overflows, I had a couple other concerns in this
file.
drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c brcmf_enq_event()
4144 total_len = sizeof(struct brcmf_cfg80211_event_q);
4145 if (data)
4146 data_len = be32_to_cpu(msg->datalen);
4147 else
4148 data_len = 0;
4149 total_len += data_len;
^^^^^^^^^^^^^^^^^^^^^
This looks very suspicious like a remote exploitable overflow.
4150 e = kzalloc(total_len, GFP_ATOMIC);
drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c brcmf_run_escan()
882 if (request != NULL) {
883 /* Allocate space for populating ssids in struct */
884 params_size += sizeof(u32) * ((request->n_channels + 1) / 2);
885
886 /* Allocate space for populating ssids in struct */
887 params_size += sizeof(struct brcmf_ssid) * request->n_ssids;
888 }
889
890 params = kzalloc(params_size, GFP_KERNEL);
I didn't track back where request comes from so I don't know if
that's a problem or not. I figured you would know better than I
would.
regards,
dan carpenter
next prev parent reply other threads:[~2012-09-26 7:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-26 7:21 [patch] brcmfmac: use kcalloc() to prevent integer overflow Dan Carpenter
2012-09-26 7:21 ` Dan Carpenter
2012-09-26 7:31 ` Dan Carpenter [this message]
2012-09-26 7:31 ` Dan Carpenter
2012-09-26 9:41 ` Arend van Spriel
2012-09-26 9:41 ` Arend van Spriel
2012-09-27 10:49 ` Arend van Spriel
2012-09-27 10:49 ` Arend van Spriel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120926073143.GO13767@mwanda \
--to=dan.carpenter@oracle.com \
--cc=arend@broadcom.com \
--cc=brcm80211-dev-list@broadcom.com \
--cc=brudley@broadcom.com \
--cc=frankyl@broadcom.com \
--cc=kanyan@broadcom.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=meuleman@broadcom.com \
--cc=rvossen@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.