* [patch 2/2] staging: r8188eu: overflow in rtw_p2p_get_go_device_address()
@ 2014-02-03 22:38 Dan Carpenter
2014-02-07 2:51 ` Larry Finger
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Dan Carpenter @ 2014-02-03 22:38 UTC (permalink / raw)
To: kernel-janitors
The go_devadd_str[] array is two characters too small to hold the
address so we corrupt memory.
I've changed the user space API slightly and I don't have a way to test
if this breaks anything. In the original code we truncated away the
last digit of the address and the NUL terminator so it was already a bit
broken.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index dec992569476..4ad80ae1067f 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -3164,9 +3164,7 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
u8 *p2pie;
uint p2pielen = 0, attr_contentlen = 0;
u8 attr_content[100] = {0x00};
-
- u8 go_devadd_str[17 + 10] = {0x00};
- /* +10 is for the str "go_devadd =", we have to clear it at wrqu->data.pointer */
+ u8 go_devadd_str[17 + 12] = {};
/* Commented by Albert 20121209 */
/* The input data is the GO's interface address which the application wants to know its device address. */
@@ -3223,12 +3221,12 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
spin_unlock_bh(&pmlmepriv->scanned_queue.lock);
if (!blnMatch)
- sprintf(go_devadd_str, "\n\ndev_add = NULL");
+ snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add = NULL");
else
- sprintf(go_devadd_str, "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X",
+ snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X",
attr_content[0], attr_content[1], attr_content[2], attr_content[3], attr_content[4], attr_content[5]);
- if (copy_to_user(wrqu->data.pointer, go_devadd_str, 10 + 17))
+ if (copy_to_user(wrqu->data.pointer, go_devadd_str, sizeof(go_devadd_str)))
return -EFAULT;
return ret;
}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch 2/2] staging: r8188eu: overflow in rtw_p2p_get_go_device_address()
2014-02-03 22:38 [patch 2/2] staging: r8188eu: overflow in rtw_p2p_get_go_device_address() Dan Carpenter
@ 2014-02-07 2:51 ` Larry Finger
2014-02-07 10:46 ` walter harms
2014-02-07 11:21 ` Dan Carpenter
2 siblings, 0 replies; 4+ messages in thread
From: Larry Finger @ 2014-02-07 2:51 UTC (permalink / raw)
To: kernel-janitors
On 02/03/2014 04:38 PM, Dan Carpenter wrote:
> The go_devadd_str[] array is two characters too small to hold the
> address so we corrupt memory.
>
> I've changed the user space API slightly and I don't have a way to test
> if this breaks anything. In the original code we truncated away the
> last digit of the address and the NUL terminator so it was already a bit
> broken.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Nothing seems to be broken.
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Larry
>
> diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> index dec992569476..4ad80ae1067f 100644
> --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> @@ -3164,9 +3164,7 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
> u8 *p2pie;
> uint p2pielen = 0, attr_contentlen = 0;
> u8 attr_content[100] = {0x00};
> -
> - u8 go_devadd_str[17 + 10] = {0x00};
> - /* +10 is for the str "go_devadd =", we have to clear it at wrqu->data.pointer */
> + u8 go_devadd_str[17 + 12] = {};
>
> /* Commented by Albert 20121209 */
> /* The input data is the GO's interface address which the application wants to know its device address. */
> @@ -3223,12 +3221,12 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
> spin_unlock_bh(&pmlmepriv->scanned_queue.lock);
>
> if (!blnMatch)
> - sprintf(go_devadd_str, "\n\ndev_add = NULL");
> + snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add = NULL");
> else
> - sprintf(go_devadd_str, "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X",
> + snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X",
> attr_content[0], attr_content[1], attr_content[2], attr_content[3], attr_content[4], attr_content[5]);
>
> - if (copy_to_user(wrqu->data.pointer, go_devadd_str, 10 + 17))
> + if (copy_to_user(wrqu->data.pointer, go_devadd_str, sizeof(go_devadd_str)))
> return -EFAULT;
> return ret;
> }
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch 2/2] staging: r8188eu: overflow in rtw_p2p_get_go_device_address()
2014-02-03 22:38 [patch 2/2] staging: r8188eu: overflow in rtw_p2p_get_go_device_address() Dan Carpenter
2014-02-07 2:51 ` Larry Finger
@ 2014-02-07 10:46 ` walter harms
2014-02-07 11:21 ` Dan Carpenter
2 siblings, 0 replies; 4+ messages in thread
From: walter harms @ 2014-02-07 10:46 UTC (permalink / raw)
To: kernel-janitors
Am 03.02.2014 23:38, schrieb Dan Carpenter:
> The go_devadd_str[] array is two characters too small to hold the
> address so we corrupt memory.
>
> I've changed the user space API slightly and I don't have a way to test
> if this breaks anything. In the original code we truncated away the
> last digit of the address and the NUL terminator so it was already a bit
> broken.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> index dec992569476..4ad80ae1067f 100644
> --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> @@ -3164,9 +3164,7 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
> u8 *p2pie;
> uint p2pielen = 0, attr_contentlen = 0;
> u8 attr_content[100] = {0x00};
> -
> - u8 go_devadd_str[17 + 10] = {0x00};
> - /* +10 is for the str "go_devadd =", we have to clear it at wrqu->data.pointer */
> + u8 go_devadd_str[17 + 12] = {};
you are deleting the explanation for the magic numbers here,
- intentionally ?
NTL, it would be nice to have a full explanation like
10= space for "go_devadd ="
17= space for attr_content %.2X:%.2X:%.2X:%.2X:%.2X:%.2X
re,
wh
> /* Commented by Albert 20121209 */
> /* The input data is the GO's interface address which the application wants to know its device address. */
> @@ -3223,12 +3221,12 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
> spin_unlock_bh(&pmlmepriv->scanned_queue.lock);
>
> if (!blnMatch)
> - sprintf(go_devadd_str, "\n\ndev_add = NULL");
> + snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add = NULL");
> else
> - sprintf(go_devadd_str, "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X",
> + snprintf(go_devadd_str, sizeof(go_devadd_str), "\n\ndev_add =%.2X:%.2X:%.2X:%.2X:%.2X:%.2X",
> attr_content[0], attr_content[1], attr_content[2], attr_content[3], attr_content[4], attr_content[5]);
>
> - if (copy_to_user(wrqu->data.pointer, go_devadd_str, 10 + 17))
> + if (copy_to_user(wrqu->data.pointer, go_devadd_str, sizeof(go_devadd_str)))
> return -EFAULT;
> return ret;
> }
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch 2/2] staging: r8188eu: overflow in rtw_p2p_get_go_device_address()
2014-02-03 22:38 [patch 2/2] staging: r8188eu: overflow in rtw_p2p_get_go_device_address() Dan Carpenter
2014-02-07 2:51 ` Larry Finger
2014-02-07 10:46 ` walter harms
@ 2014-02-07 11:21 ` Dan Carpenter
2 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2014-02-07 11:21 UTC (permalink / raw)
To: kernel-janitors
On Fri, Feb 07, 2014 at 11:46:26AM +0100, walter harms wrote:
>
>
> Am 03.02.2014 23:38, schrieb Dan Carpenter:
> > The go_devadd_str[] array is two characters too small to hold the
> > address so we corrupt memory.
> >
> > I've changed the user space API slightly and I don't have a way to test
> > if this breaks anything. In the original code we truncated away the
> > last digit of the address and the NUL terminator so it was already a bit
> > broken.
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >
> > diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> > index dec992569476..4ad80ae1067f 100644
> > --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> > +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> > @@ -3164,9 +3164,7 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
> > u8 *p2pie;
> > uint p2pielen = 0, attr_contentlen = 0;
> > u8 attr_content[100] = {0x00};
> > -
> > - u8 go_devadd_str[17 + 10] = {0x00};
> > - /* +10 is for the str "go_devadd =", we have to clear it at wrqu->data.pointer */
> > + u8 go_devadd_str[17 + 12] = {};
>
>
> you are deleting the explanation for the magic numbers here,
> - intentionally ?
>
Yes. The old explanation was misleading because the string is
"\n\ndev_add =" and not "go_devadd =". The buffer is only used in one
location so the size is obvious and there is no need for a comment.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-02-07 11:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-03 22:38 [patch 2/2] staging: r8188eu: overflow in rtw_p2p_get_go_device_address() Dan Carpenter
2014-02-07 2:51 ` Larry Finger
2014-02-07 10:46 ` walter harms
2014-02-07 11:21 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox