From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Date: Sat, 30 Jan 2016 14:41:10 +0000 Subject: [patch] staging: rtl8712: memory corruption in wpa_set_encryption() Message-Id: <20160130144110.GE3462@mwanda> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Larry Finger Cc: Florian Schilhabel , Greg Kroah-Hartman , Luis de Bethencourt , Joshua Clayton , Punit Vara , Andy Shevchenko , Aya Mahfouz , Alison Schofield , devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org ->KeyMaterial is declared as a 16 byte array, but we only ever allocate either 5 or 13 bytes of it. The problem is that we memset() all 16 bytes to zero so we're memsetting past the end of the allocated memory. I fixed this in slightly lazy way, by just allocating 16 bytes. This works but there is a lot more cleanup you could do to this code if you wanted. Which is why this code is in staging. Signed-off-by: Dan Carpenter diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c index edfc680..db2e31bc 100644 --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c @@ -398,12 +398,9 @@ static int wpa_set_encryption(struct net_device *dev, struct ieee_param *param, wep_key_idx = 0; if (wep_key_len > 0) { wep_key_len = wep_key_len <= 5 ? 5 : 13; - pwep = kmalloc((u32)(wep_key_len + - FIELD_OFFSET(struct NDIS_802_11_WEP, - KeyMaterial)), GFP_ATOMIC); + pwep = kzalloc(sizeof(*pwep), GFP_ATOMIC); if (pwep = NULL) return -ENOMEM; - memset(pwep, 0, sizeof(struct NDIS_802_11_WEP)); pwep->KeyLength = wep_key_len; pwep->Length = wep_key_len + FIELD_OFFSET(struct NDIS_802_11_WEP,