[PATCH AUTOSEL 4.19 204/237] wireless: airo: potential buffer overflow in sprintf()

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
	Kalle Valo <kvalo@codeaurora.org>,
	Sasha Levin <sashal@kernel.org>,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 204/237] wireless: airo: potential buffer overflow in sprintf()
Date: Sat, 16 Nov 2019 10:40:39 -0500	[thread overview]
Message-ID: <20191116154113.7417-204-sashal@kernel.org> (raw)
In-Reply-To: <20191116154113.7417-1-sashal@kernel.org>

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 3d39e1bb1c88f32820c5f9271f2c8c2fb9a52bac ]

It looks like we wanted to print a maximum of BSSList_rid.ssidLen bytes
of the ssid, but we accidentally use "%*s" (width) instead of "%.*s"
(precision) so if the ssid doesn't have a NUL terminator this could lead
to an overflow.

Static analysis.  Not tested.

Fixes: e174961ca1a0 ("net: convert print_mac to %pM")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/cisco/airo.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
index 04dd7a9365938..5512c7f73fce8 100644
--- a/drivers/net/wireless/cisco/airo.c
+++ b/drivers/net/wireless/cisco/airo.c
@@ -5462,7 +5462,7 @@ static int proc_BSSList_open( struct inode *inode, struct file *file ) {
            we have to add a spin lock... */
 	rc = readBSSListRid(ai, doLoseSync, &BSSList_rid);
 	while(rc == 0 && BSSList_rid.index != cpu_to_le16(0xffff)) {
-		ptr += sprintf(ptr, "%pM %*s rssi = %d",
+		ptr += sprintf(ptr, "%pM %.*s rssi = %d",
 			       BSSList_rid.bssid,
 				(int)BSSList_rid.ssidLen,
 				BSSList_rid.ssid,
-- 
2.20.1

next prev parent reply	other threads:[~2019-11-16 16:17 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20191116154113.7417-1-sashal@kernel.org>
2019-11-16 15:37 ` [PATCH AUTOSEL 4.19 016/237] mt76: do not store aggregation sequence number for null-data frames Sasha Levin
2019-11-16 15:37 ` [PATCH AUTOSEL 4.19 017/237] mt76x0: phy: fix restore phase in mt76x0_phy_recalibrate_after_assoc Sasha Levin
2019-11-16 15:37 ` [PATCH AUTOSEL 4.19 018/237] brcmsmac: AP mode: update beacon when TIM changes Sasha Levin
2019-11-16 15:37 ` [PATCH AUTOSEL 4.19 019/237] ath10k: set probe request oui during driver start Sasha Levin
2019-11-16 15:37 ` [PATCH AUTOSEL 4.19 020/237] ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 196/237] wil6210: fix debugfs memory access alignment Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 197/237] wil6210: fix L2 RX status handling Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 198/237] wil6210: fix RGF_CAF_ICR address for Talyn-MB Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 199/237] wil6210: fix locking in wmi_call Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 200/237] ath10k: snoc: fix unbalanced clock error handling Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 201/237] wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()' Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 202/237] rtl8xxxu: Fix missing break in switch Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 203/237] brcmsmac: never log "tid x is not agg'able" by default Sasha Levin
2019-11-16 15:40 ` Sasha Levin [this message]
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 205/237] rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information Sasha Levin
2019-11-16 15:41 ` [PATCH AUTOSEL 4.19 226/237] cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces Sasha Levin
2019-11-16 15:41 ` [PATCH AUTOSEL 4.19 237/237] cfg80211: call disconnect_wk when AP stops Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:04dd7a936593 dfblob:5512c7f73fce )
 OR (
bs:"[PATCH AUTOSEL 4.19 204/237] wireless: airo: potential buffer overflow in sprintf()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191116154113.7417-204-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=dan.carpenter@oracle.com \
    --cc=kvalo@codeaurora.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).