Re: [PATCH] staging: rtl8192u: change get_key functions to return 0 instead of -1

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Fabio M. De Francesco" <fmdefrancesco@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org,
	outreachy@lists.linux.dev, Rebecca Mckeever <remckee0@gmail.com>
Subject: Re: [PATCH] staging: rtl8192u: change get_key functions to return 0 instead of -1
Date: Wed, 20 Apr 2022 21:09:03 +0300	[thread overview]
Message-ID: <20220420180902.GJ2951@kadam> (raw)
In-Reply-To: <3183776.G96rZvMJ2N@leap>

On Wed, Apr 20, 2022 at 04:52:36PM +0200, Fabio M. De Francesco wrote:
> On mercoledì 20 aprile 2022 14:23:28 CEST Rebecca Mckeever wrote:
> > Currently, these three get_key functions return -1 when the provided len
> > value is less a specific key length value, which can result in buffer
> > overflow depending on how the returned value is used. These functions are
> > used in three places in ieee80211/ieee80211_wx.c:
> > 
> >   ieee80211_wx_get_encode() :
> >     The behavior of this function will be unchanged.
> > 
> >   ieee80211_wx_get_encode_ext() :
> >     The result of the get_key function is written to ext->key_len,
> >     resulting in a buffer overflow if the result is negative.
> > 
> >   ieee80211_wx_set_encode() :
> >     The behavior of this function will change. When len is less than the
> >     key length value, it will set a default key of all 0.
> > 
> > Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Signed-off-by: Rebecca Mckeever <remckee0@gmail.com>
> > ---
> >  drivers/staging/rtl8192u/ieee80211/ieee80211_crypt_ccmp.c | 2 +-
> >  drivers/staging/rtl8192u/ieee80211/ieee80211_crypt_tkip.c | 2 +-
> >  drivers/staging/rtl8192u/ieee80211/ieee80211_crypt_wep.c  | 2 +-
> >  3 files changed, 3 insertions(+), 3 deletions(-)
>
> I was not able to find the message where Dan suggested this solution. 
> However it looks that we actually have problems in those callers when they 
> get '-1' as the return code.
> 
> I didn't look at the code with much attention but I think that returning 
> '0' to signal errors is not so good.
> 
> If I'm not missing something from the context, I'd rather return '-EINVAL' 
> and change the callers to check for this specific error that would signal 
> we have "len less than a specific len value". If so, act in accordance to 
> the returned -EINVAL.
> 
> For example, in a caller you may test:
> 
> if (ext->key_len == -EINVAL || <some other test, if required>)
>         <error path>
> <success path>

These are valid questions.

Ideally the errors wouldn't happen.  Maybe they don't happen?

The error handling is copied from ieee80211_wx_get_encode_ext().  An all
zero password (rot13 security) is better than plaintext.  So this is a
conservative fix which potentially fixes some memory corruption and
doesn't break anything.

A more extensive fix would require someone who understands the code
better or can test it.

regards,
dan carpenter

next prev parent reply	other threads:[~2022-04-20 18:09 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-20 12:23 [PATCH] staging: rtl8192u: change get_key functions to return 0 instead of -1 Rebecca Mckeever
2022-04-20 14:52 ` Fabio M. De Francesco
2022-04-20 18:09   ` Dan Carpenter [this message]
2022-04-20 17:52 ` Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220420180902.GJ2951@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=fmdefrancesco@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-staging@lists.linux.dev \
    --cc=outreachy@lists.linux.dev \
    --cc=remckee0@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.