| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Dec 2018 13:06:58 +0000
From: Colin Ian King <colin.king@...onical.com>
To: Kalle Valo <kvalo@...eaurora.org>,
"David S. Miller" <davem@...emloft.net>,
"linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
netdev@...r.kernel.org
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: out of bounds read in drivers/net/wireless/ray_cs.c
Static analysis with CoverityScan picked up an out of bounds read issue
that has been in the Raylink wireless LAN card driver since it appeared
in the kernel:
drivers/net/wireless/ray_cs.c:
accessing org[3] is out of bounds, the array has just 3 elements.
959 if (proto == htons(ETH_P_AARP) || proto ==
htons(ETH_P_IPX)) {
960 /* This is the selective translation table,
only 2 entries */
CID undefined (#1 of 1): Out-of-bounds read
overrun-local: Overrunning array of 3 bytes at byte offset 3 by
dereferencing pointer &((struct snaphdr_t *)ptx->var)->org[3].
961 writeb(0xf8,
962 &((struct snaphdr_t __iomem
*)ptx->var)->org[3]);
963 }
I suspect the org[3] is a typo and should be org[2], but I don't have
any info on the H/W so I'm speculating that this is the issue. Any ideas
anyone?
Colin
Powered by blists - more mailing lists