* [PATCH] staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()
@ 2023-07-09 5:50 Zhang Shurong
[not found] ` <2a41ca22-a0eb-df38-be43-7175e1230bd0@web.de>
2023-07-10 6:08 ` [PATCH] " Dan Carpenter
0 siblings, 2 replies; 5+ messages in thread
From: Zhang Shurong @ 2023-07-09 5:50 UTC (permalink / raw)
To: gregkh; +Cc: error27, xu.panda, linux-staging, linux-kernel, Zhang Shurong
The "exc->key_len" is a u16 that comes from the user. If it's over
IW_ENCODING_TOKEN_MAX (64) that could lead to memory corruption.
Fixes: b121d84882b9 ("staging: ks7010: simplify calls to memcpy()")
Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
---
drivers/staging/ks7010/ks_wlan_net.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/ks7010/ks_wlan_net.c b/drivers/staging/ks7010/ks_wlan_net.c
index e03c87f0bfe7..0fb97a79ad0b 100644
--- a/drivers/staging/ks7010/ks_wlan_net.c
+++ b/drivers/staging/ks7010/ks_wlan_net.c
@@ -1583,8 +1583,10 @@ static int ks_wlan_set_encode_ext(struct net_device *dev,
commit |= SME_WEP_FLAG;
}
if (enc->key_len) {
- memcpy(&key->key_val[0], &enc->key[0], enc->key_len);
- key->key_len = enc->key_len;
+ int key_len = clamp_val(enc->key_len, 0, IW_ENCODING_TOKEN_MAX);
+
+ memcpy(&key->key_val[0], &enc->key[0], key_len);
+ key->key_len = key_len;
commit |= (SME_WEP_VAL1 << index);
}
break;
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread[parent not found: <2a41ca22-a0eb-df38-be43-7175e1230bd0@web.de>]
* Re: [PATCH] staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()
[not found] ` <2a41ca22-a0eb-df38-be43-7175e1230bd0@web.de>
@ 2023-07-09 19:42 ` Greg Kroah-Hartman
[not found] ` <e24f9c2c-1163-631a-f8c0-b6dcb445a858@web.de>
0 siblings, 1 reply; 5+ messages in thread
From: Greg Kroah-Hartman @ 2023-07-09 19:42 UTC (permalink / raw)
To: Markus Elfring
Cc: Zhang Shurong, linux-staging, kernel-janitors, LKML,
Dan Carpenter, Xu Panda
On Sun, Jul 09, 2023 at 09:21:45PM +0200, Markus Elfring wrote:
> > The "exc->key_len" is a u16 that comes from the user. If it's over
> > IW_ENCODING_TOKEN_MAX (64) that could lead to memory corruption.
>
> Please choose an imperative change suggestion.
Please stop reviewing staging patches, it is not helpful for anyone.
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()
2023-07-09 5:50 [PATCH] staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() Zhang Shurong
[not found] ` <2a41ca22-a0eb-df38-be43-7175e1230bd0@web.de>
@ 2023-07-10 6:08 ` Dan Carpenter
1 sibling, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2023-07-10 6:08 UTC (permalink / raw)
To: Zhang Shurong; +Cc: gregkh, error27, xu.panda, linux-staging, linux-kernel
On Sun, Jul 09, 2023 at 01:50:07PM +0800, Zhang Shurong wrote:
> The "exc->key_len" is a u16 that comes from the user. If it's over
> IW_ENCODING_TOKEN_MAX (64) that could lead to memory corruption.
>
> Fixes: b121d84882b9 ("staging: ks7010: simplify calls to memcpy()")
>
> Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-07-10 6:08 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-09 5:50 [PATCH] staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() Zhang Shurong
[not found] ` <2a41ca22-a0eb-df38-be43-7175e1230bd0@web.de>
2023-07-09 19:42 ` Greg Kroah-Hartman
[not found] ` <e24f9c2c-1163-631a-f8c0-b6dcb445a858@web.de>
2023-07-10 5:41 ` Zhang Shurong
2023-07-10 5:47 ` Greg Kroah-Hartman
2023-07-10 6:08 ` [PATCH] " Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox