lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <alpine.LNX.2.00.1010291544510.8123@swampdragon.chaosbits.net>
Date:	Fri, 29 Oct 2010 16:10:26 +0200 (CEST)
From:	Jesper Juhl <jj@...osbits.net>
To:	Johannes Berg <johannes@...solutions.net>
cc:	linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] mac80211 failure to check kmalloc return value in key_key_read
 could lead to unpleasant surprises

I noticed two small issues in mac80211/debugfs_key.c::key_key_read while 
reading through the code. Patch below.

The key_key_read() function returns ssize_t and the value that's actually 
returned is the return value of simple_read_from_buffer() which also 
returns ssize_t, so let's hold the return value in a ssize_t local 
variable rather than a int one.

Also, memory is allocated dynamically with kmalloc() which can fail, but 
the return value of kmalloc() is not checked, so we may end up operating 
on a null pointer further on. So check for a NULL return and bail out with 
-ENOMEM in that case.

Please keep me on CC on replies since I'm not subscribed to 
linux-wireless.


Signed-off-by: Jesper Juhl <jj@...osbits.net>
---
 debugfs_key.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/debugfs_key.c b/net/mac80211/debugfs_key.c
index 4aa47d0..1243d1d 100644
--- a/net/mac80211/debugfs_key.c
+++ b/net/mac80211/debugfs_key.c
@@ -203,9 +203,13 @@ static ssize_t key_key_read(struct file *file, char __user *userbuf,
 			    size_t count, loff_t *ppos)
 {
 	struct ieee80211_key *key = file->private_data;
-	int i, res, bufsize = 2 * key->conf.keylen + 2;
+	int i, bufsize = 2 * key->conf.keylen + 2;
 	char *buf = kmalloc(bufsize, GFP_KERNEL);
 	char *p = buf;
+	ssize_t res;
+
+	if (!buf)
+		return -ENOMEM;
 
 	for (i = 0; i < key->conf.keylen; i++)
 		p += scnprintf(p, bufsize + buf - p, "%02x", key->conf.key[i]);


-- 
Jesper Juhl <jj@...osbits.net>             http://www.chaosbits.net/
Plain text mails only, please      http://www.expita.com/nomime.html
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ