Re: [PATCH] staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan

From: Dan Carpenter
Date: Mon Mar 08 2021 - 02:58:59 EST

Next message: Alexander Sverdlin: "Re: [PATCH v7 2/2] ARM: ftrace: Add MODULE_PLTS support"
Previous message: Stephen Rothwell: "linux-next: error fetching the arm-soc-fixes tree"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Mar 05, 2021 at 03:00:14PM +0000, Lee wrote:
>
> Hi Dan,
>
> Do you think any of these could be potential issues:
>
> driver/staging/
>
> rtl8192e/rtllib_rx.c:2442

memcpy(dst->ssid, src->ssid, src->ssid_len);

Smatch says that at this point we know "src->ssid_len" is in the 1-32
range. This is without any fixes to how Smatch parses nl_len().

> wlan-ng/cfg80211.c:316

313 if (request->n_ssids > 0) {
314 msg1.scantype.data = P80211ENUM_scantype_active;
315 msg1.ssid.data.len = request->ssids->ssid_len;
316 memcpy(msg1.ssid.data.data,
317 request->ssids->ssid, request->ssids->ssid_len);
318 } else {

The only thing Smatch knows about "request->ssids->ssid_len" is that
it's 0-255. I had not marked "msg1.ssid.data.data" as a protected
struct member so it didn't generate a warning.

I think cfg80211_scan_request structs are filled out in a systematic
way in ieee80211_request_ibss_scan() and they're bounds checked properly
so this isn't a bug.

> rtl8723bs/os_dep/ioctl_cfg80211.c:1591
> rtl8723bs/os_dep/ioctl_cfg80211.c:2738

Same.

regards,
dan carpenter

Next message: Alexander Sverdlin: "Re: [PATCH v7 2/2] ARM: ftrace: Add MODULE_PLTS support"
Previous message: Stephen Rothwell: "linux-next: error fetching the arm-soc-fixes tree"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]