From: Larry Finger <Larry.Finger@lwfinger.net>
To: kernel-janitors@vger.kernel.org
Subject: Re: [patch 2/2] staging: r8188eu: overflow in rtw_p2p_get_go_device_address()
Date: Fri, 07 Feb 2014 02:51:30 +0000 [thread overview]
Message-ID: <52F44A32.7040102@lwfinger.net> (raw)
In-Reply-To: <20140203223835.GB28874@elgon.mountain>
On 02/03/2014 04:38 PM, Dan Carpenter wrote:
> The go_devadd_str[] array is two characters too small to hold the
> address so we corrupt memory.
>
> I've changed the user space API slightly and I don't have a way to test
> if this breaks anything. In the original code we truncated away the
> last digit of the address and the NUL terminator so it was already a bit
> broken.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Nothing seems to be broken.
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Larry
>
> diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> index dec992569476..4ad80ae1067f 100644
> --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> @@ -3164,9 +3164,7 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
> u8 *p2pie;
> uint p2pielen = 0, attr_contentlen = 0;
> u8 attr_content[100] = {0x00};
> -
> - u8 go_devadd_str[17 + 10] = {0x00};
> - /* +10 is for the str "go_devadd =", we have to clear it at wrqu->data.pointer */
> + u8 go_devadd_str[17 + 12] = {};
>
> /* Commented by Albert 20121209 */
> /* The input data is the GO's interface address which the application wants to know its device address. */
> @@ -3223,12 +3221,12 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
> spin_unlock_bh(&pmlmepriv->scanned_queue.lock);
>
> if (!blnMatch)
> - sprintf(go_devadd_str, "\n\ndev_add = NULL");
> + snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add = NULL");
> else
> - sprintf(go_devadd_str, "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X",
> + snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X",
> attr_content[0], attr_content[1], attr_content[2], attr_content[3], attr_content[4], attr_content[5]);
>
> - if (copy_to_user(wrqu->data.pointer, go_devadd_str, 10 + 17))
> + if (copy_to_user(wrqu->data.pointer, go_devadd_str, sizeof(go_devadd_str)))
> return -EFAULT;
> return ret;
> }
>
next prev parent reply other threads:[~2014-02-07 2:51 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-03 22:38 [patch 2/2] staging: r8188eu: overflow in rtw_p2p_get_go_device_address() Dan Carpenter
2014-02-07 2:51 ` Larry Finger [this message]
2014-02-07 10:46 ` walter harms
2014-02-07 11:21 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52F44A32.7040102@lwfinger.net \
--to=larry.finger@lwfinger.net \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.