From: Vladimir Kondratiev <QCA_vkondrat@QCA.qualcomm.com>
To: Colin King <colin.king@canonical.com>,
Kalle Valo <kvalo@codeaurora.org>,
<linux-wireless@vger.kernel.org>, <wil6210@qca.qualcomm.com>,
<netdev@vger.kernel.org>
Cc: <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] wil6210: increase cmd buffer size to avoid sscanf buffer overflow
Date: Mon, 2 Mar 2015 10:24:47 +0200 [thread overview]
Message-ID: <54F41E4F.8090502@qca.qualcomm.com> (raw)
In-Reply-To: <1425232113-5010-1-git-send-email-colin.king@canonical.com>
On 03/01/2015 07:48 PM, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> cppcheck detected a buffer overflow:
>
> [drivers/net/wireless/ath/wil6210/debugfs.c:634]: (error) Width 8
> given in format string (no. 1) is larger than destination buffer
> 'cmd[8]', use %7s to prevent overflowing it.
>
> For the current %8s sscanf we require cmd to be 9 chars long
> so increase it by 1 byte to prevent the sscan overflow (rather
> than reduce the %8s specifier to %7s as cppcheck recommends).
>
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> drivers/net/wireless/ath/wil6210/debugfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c
> index 45c3558e..29aab12 100644
> --- a/drivers/net/wireless/ath/wil6210/debugfs.c
> +++ b/drivers/net/wireless/ath/wil6210/debugfs.c
> @@ -618,7 +618,7 @@ static ssize_t wil_write_back(struct file *file, const char __user *buf,
> struct wil6210_priv *wil = file->private_data;
> int rc;
> char *kbuf = kmalloc(len + 1, GFP_KERNEL);
> - char cmd[8];
> + char cmd[9];
> int p1, p2, p3;
>
> if (!kbuf)
>
Thanks for finding this. Here is my
Acked-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Thanks, Vladimir
WARNING: multiple messages have this Message-ID (diff)
From: Vladimir Kondratiev <QCA_vkondrat-VexRPWKJR1Ry9aJCnZT0Uw@public.gmane.org>
To: Colin King <colin.king-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
Kalle Valo <kvalo-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>,
<linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
<wil6210-A+ZNKFmMK5xy9aJCnZT0Uw@public.gmane.org>,
<netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Cc: <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH] wil6210: increase cmd buffer size to avoid sscanf buffer overflow
Date: Mon, 2 Mar 2015 10:24:47 +0200 [thread overview]
Message-ID: <54F41E4F.8090502@qca.qualcomm.com> (raw)
In-Reply-To: <1425232113-5010-1-git-send-email-colin.king-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
On 03/01/2015 07:48 PM, Colin King wrote:
> From: Colin Ian King <colin.king-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
>
> cppcheck detected a buffer overflow:
>
> [drivers/net/wireless/ath/wil6210/debugfs.c:634]: (error) Width 8
> given in format string (no. 1) is larger than destination buffer
> 'cmd[8]', use %7s to prevent overflowing it.
>
> For the current %8s sscanf we require cmd to be 9 chars long
> so increase it by 1 byte to prevent the sscan overflow (rather
> than reduce the %8s specifier to %7s as cppcheck recommends).
>
> Signed-off-by: Colin Ian King <colin.king-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
> ---
> drivers/net/wireless/ath/wil6210/debugfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c
> index 45c3558e..29aab12 100644
> --- a/drivers/net/wireless/ath/wil6210/debugfs.c
> +++ b/drivers/net/wireless/ath/wil6210/debugfs.c
> @@ -618,7 +618,7 @@ static ssize_t wil_write_back(struct file *file, const char __user *buf,
> struct wil6210_priv *wil = file->private_data;
> int rc;
> char *kbuf = kmalloc(len + 1, GFP_KERNEL);
> - char cmd[8];
> + char cmd[9];
> int p1, p2, p3;
>
> if (!kbuf)
>
Thanks for finding this. Here is my
Acked-by: Vladimir Kondratiev <qca_vkondrat-A+ZNKFmMK5xy9aJCnZT0Uw@public.gmane.org>
Thanks, Vladimir
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2015-03-02 8:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-01 17:48 [PATCH] wil6210: increase cmd buffer size to avoid sscanf buffer overflow Colin King
2015-03-01 17:48 ` Colin King
2015-03-02 8:24 ` Vladimir Kondratiev [this message]
2015-03-02 8:24 ` Vladimir Kondratiev
2015-03-03 13:48 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54F41E4F.8090502@qca.qualcomm.com \
--to=qca_vkondrat@qca.qualcomm.com \
--cc=colin.king@canonical.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=wil6210@qca.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.