[PATCH] mac80211: fix kzalloc memory corruption introduced in minstrel

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] mac80211: fix kzalloc memory corruption introduced in minstrel_ht
@ 2012-07-02 12:39 Thomas Huehn
  2012-07-02 18:25 ` John W. Linville
  0 siblings, 1 reply; 2+ messages in thread
From: Thomas Huehn @ 2012-07-02 12:39 UTC (permalink / raw)
  To: linville
  Cc: dan.carpenter, wfg, linux-wireless, franzschrober, julian.calaby,
	johannes, thomas, nbd

The patch: "mac80211: correct size the argument to
kzalloc in minstrel_ht" (from Jun 29, 2012), leads to memory corruption.
"msp->ratelist" is a void pointer - therfore going back to the
expicit form: sizeof(struct minstrel_rate) which brings back correct
memory allocation.

Reported-by: Fengguang Wu <wfg@linux.intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Thomas Huehn <thomas@net.t-labs.tu-berlin.de>
---
 net/mac80211/rc80211_minstrel_ht.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index 1ca8f2b..f9e51ef 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -813,7 +813,7 @@ minstrel_ht_alloc_sta(void *priv, struct ieee80211_sta *sta, gfp_t gfp)
 	if (!msp)
 		return NULL;
 
-	msp->ratelist = kzalloc(sizeof(*msp->ratelist) * max_rates, gfp);
+	msp->ratelist = kzalloc(sizeof(struct minstrel_rate) * max_rates, gfp);
 	if (!msp->ratelist)
 		goto error;
 
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] mac80211: fix kzalloc memory corruption introduced in minstrel_ht
  2012-07-02 12:39 [PATCH] mac80211: fix kzalloc memory corruption introduced in minstrel_ht Thomas Huehn
@ 2012-07-02 18:25 ` John W. Linville
  0 siblings, 0 replies; 2+ messages in thread
From: John W. Linville @ 2012-07-02 18:25 UTC (permalink / raw)
  To: Thomas Huehn
  Cc: dan.carpenter, wfg, linux-wireless, franzschrober, julian.calaby,
	johannes, nbd

On Mon, Jul 02, 2012 at 02:39:52PM +0200, Thomas Huehn wrote:
> The patch: "mac80211: correct size the argument to
> kzalloc in minstrel_ht" (from Jun 29, 2012), leads to memory corruption.
> "msp->ratelist" is a void pointer - therfore going back to the
> expicit form: sizeof(struct minstrel_rate) which brings back correct
> memory allocation.
> 
> Reported-by: Fengguang Wu <wfg@linux.intel.com>
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Thomas Huehn <thomas@net.t-labs.tu-berlin.de>
> ---
>  net/mac80211/rc80211_minstrel_ht.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
> index 1ca8f2b..f9e51ef 100644
> --- a/net/mac80211/rc80211_minstrel_ht.c
> +++ b/net/mac80211/rc80211_minstrel_ht.c
> @@ -813,7 +813,7 @@ minstrel_ht_alloc_sta(void *priv, struct ieee80211_sta *sta, gfp_t gfp)
>  	if (!msp)
>  		return NULL;
>  
> -	msp->ratelist = kzalloc(sizeof(*msp->ratelist) * max_rates, gfp);
> +	msp->ratelist = kzalloc(sizeof(struct minstrel_rate) * max_rates, gfp);
>  	if (!msp->ratelist)
>  		goto error;
>  

Johannes, I'm grabbing this one now.

-- 
John W. Linville		Someday the world will need a hero, and you
linville@tuxdriver.com			might be all we have.  Be ready.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2012-07-05 14:52 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-07-02 12:39 [PATCH] mac80211: fix kzalloc memory corruption introduced in minstrel_ht Thomas Huehn
2012-07-02 18:25 ` John W. Linville

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).