From: Levente Kurusa <levex@linux.com>
To: Dominique van den Broeck <domdevlin@free.fr>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] staging/rtl8192e: userspace ptr deref + incorrect declarations
Date: Sun, 27 Apr 2014 19:47:53 +0200 [thread overview]
Message-ID: <20140427174753.GA25594@linux.com> (raw)
In-Reply-To: <1398618676-31095-2-git-send-email-domdevlin@free.fr>
[-- Attachment #1: Type: text/plain, Size: 2045 bytes --]
Hi,
On Sun, Apr 27, 2014 at 07:11:16PM +0200, Dominique van den Broeck wrote:
> . userspace pointer dereference ;
> . missing inclusions of needed header files ;
> . unrequired static function declaration (confusing another *.c file).
>
> Signed-off-by: Dominique van den Broeck <domdevlin@free.fr>
> ---
> I submit this patch as a result for Task #16 of the Eudyptula Challenge.
>
> diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_wx.c b/drivers/staging/rtl8192e/rtl8192e/rtl_wx.c
> index 498995d..d87cdfa 100644
> --- a/drivers/staging/rtl8192e/rtl8192e/rtl_wx.c
> +++ b/drivers/staging/rtl8192e/rtl8192e/rtl_wx.c
> @@ -17,8 +17,10 @@
> * wlanfae <wlanfae@realtek.com>
> ******************************************************************************/
>
> +#include <linux/uaccess.h>
> #include <linux/string.h>
> #include "rtl_core.h"
> +#include "rtl_wx.h"
>
> #define RATE_COUNT 12
> static u32 rtl8192_rates[] = {
> @@ -1130,11 +1132,18 @@ static int r8192_wx_set_PromiscuousMode(struct net_device *dev,
> struct r8192_priv *priv = rtllib_priv(dev);
> struct rtllib_device *ieee = priv->rtllib;
>
> - u32 *info_buf = (u32 *)(wrqu->data.pointer);
> + u32 info_buf[3];
>
> - u32 oid = info_buf[0];
> - u32 bPromiscuousOn = info_buf[1];
> - u32 bFilterSourceStationFrame = info_buf[2];
> + u32 oid;
> + u32 bPromiscuousOn;
> + u32 bFilterSourceStationFrame;
> +
> + if (copy_from_user(info_buf, wrqu->data.pointer, sizeof(info_buf)))
> + return -EFAULT;
> +
> + oid = info_buf[0];
> + bPromiscuousOn = info_buf[1];
> + bFilterSourceStationFrame = info_buf[2];
I guess it would be better to have defines for those instead of
hard-coding the offsets. Also the size of the info_buf array
might change depending on the size of wrqu->data.pointer, right?
Maybe create a new define for that as well?
Let's just be safe and create new defines to prevent headaches in
the future, if not for futher expansion then for the sake of
legibility.
Thanks,
Levente Kurusa
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
next prev parent reply other threads:[~2014-04-27 17:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-27 17:11 [PATCH 1/2] staging/rtl8192e: Erroneous return codes (types and values) Dominique van den Broeck
2014-04-27 17:11 ` [PATCH 2/2] staging/rtl8192e: userspace ptr deref + incorrect declarations Dominique van den Broeck
2014-04-27 17:47 ` Levente Kurusa [this message]
2014-04-27 18:05 ` Dominique van den Broeck
2014-05-04 0:22 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140427174753.GA25594@linux.com \
--to=levex@linux.com \
--cc=domdevlin@free.fr \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).