Re: cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets

[Solomon Peachy <pizza@shaftnet.org>]

[-- Attachment #1: Type: text/plain, Size: 1518 bytes --]

On Tue, Jun 04, 2013 at 06:09:55AM -0700, Dan Carpenter wrote:
> The patch a910e4a94f69: "cw1200: add driver for the ST-E CW1100 &
> CW1200 WLAN chipsets" from May 24, 2013, has poor input validation
> so the user could write to arbitrary memory.

> Also I think this API looks like things which should be done with
> normal ioctls.  This driver only lets you load the firmware using a
> very ugly custom debugfs interface?

No, this is a debugging interface designed to interact with the 
vendor-supplied testing tool and the passthrough API it requires.  The 
vendor tool controls the device init sequence, including special 
engineering firmware.

Support for the ETF hooks is optional, and even if compiled in has to be 
explicitly enabled with a module parameter.

> drivers/net/wireless/cw1200/debug.c
>    454  
>    455          if (!count)
>    456                  goto done;
>    457  
>    458          if (copy_from_user(etf->buf + etf->written, user_buf + written,
>    459                             count)) {
> 
> "count" isn't capped so we could overwrite etf->written on the first
> write and then write to arbitrary memery on the second write.

Okay, that's easy enough to fix.  Thanks for pointing this out.

I'll try to robustify this rather ugly interface as much as possible.  

 - Solomon
-- 
Solomon Peachy        		       pizza at shaftnet dot org	 
Delray Beach, FL                          ^^ (email/xmpp) ^^
Quidquid latine dictum sit, altum viditur.

[-- Attachment #2: Type: application/pgp-signature, Size: 190 bytes --]