| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1360811335-26244-1-git-send-email-peterhuewe@gmx.de>
Date: Thu, 14 Feb 2013 04:08:55 +0100
From: Peter Huewe <peterhuewe@....de>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Peter Huewe <peterhuewe@....de>,
Wei Yongjun <yongjun_wei@...ndmicro.com.cn>,
Sebastian Hahn <snsehahn@....cs.fau.de>,
devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org
Subject: [PATCH] staging/rtl8192u/ieee80211: Fix buffer overflow in ieee80211_softmac_wx.c
Clang/scan-build complains about a possible buffer overflow in
ieee80211_wx_get_name:
.../staging/rtl8192u/ieee80211/ieee80211_softmac_wx.c:499:3:
warning: String copy function overflows destination buffer
strcat(wrqu->name," link..");
.../staging/rtl8192u/ieee80211/ieee80211_softmac_wx.c:497:3:
warning: String copy function overflows destination buffer
strcat(wrqu->name," linked");
The buffer wrqu->name is only IFNAMSIZ bytes big (currently 16),
so if we have a "802.11b/g/n linked" device we overrun the buffer by 3
bytes.
-> Use strlcopy / strlcat to populate the name.
This is done in a similar fashion in
staging/rtl8187se/ieee80211/ieee80211_softmac_wx.c
While at it cleaned some whitespace issues.
Signed-off-by: Peter Huewe <peterhuewe@....de>
---
.../rtl8192u/ieee80211/ieee80211_softmac_wx.c | 29 ++++++++++---------
1 files changed, 15 insertions(+), 14 deletions(-)
diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac_wx.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac_wx.c
index 45422db..60746b8 100644
--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac_wx.c
+++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_softmac_wx.c
@@ -482,22 +482,23 @@ int ieee80211_wx_get_name(struct ieee80211_device *ieee,
struct iw_request_info *info,
union iwreq_data *wrqu, char *extra)
{
- strcpy(wrqu->name, "802.11");
- if(ieee->modulation & IEEE80211_CCK_MODULATION){
- strcat(wrqu->name, "b");
- if(ieee->modulation & IEEE80211_OFDM_MODULATION)
- strcat(wrqu->name, "/g");
- }else if(ieee->modulation & IEEE80211_OFDM_MODULATION)
- strcat(wrqu->name, "g");
- if (ieee->mode & (IEEE_N_24G | IEEE_N_5G))
- strcat(wrqu->name, "/n");
+ strlcpy(wrqu->name, "802.11", IFNAMSIZ);
+ if (ieee->modulation & IEEE80211_CCK_MODULATION) {
+ strlcat(wrqu->name, "b", IFNAMSIZ);
+ if (ieee->modulation & IEEE80211_OFDM_MODULATION)
+ strlcat(wrqu->name, "/g", IFNAMSIZ);
+ } else if (ieee->modulation & IEEE80211_OFDM_MODULATION) {
+ strlcat(wrqu->name, "g", IFNAMSIZ);
+ }
- if((ieee->state == IEEE80211_LINKED) ||
- (ieee->state == IEEE80211_LINKED_SCANNING))
- strcat(wrqu->name," linked");
- else if(ieee->state != IEEE80211_NOLINK)
- strcat(wrqu->name," link..");
+ if (ieee->mode & (IEEE_N_24G | IEEE_N_5G))
+ strlcat(wrqu->name, "/n", IFNAMSIZ);
+ if ((ieee->state == IEEE80211_LINKED) ||
+ (ieee->state == IEEE80211_LINKED_SCANNING))
+ strlcat(wrqu->name, " linked", IFNAMSIZ);
+ else if (ieee->state != IEEE80211_NOLINK)
+ strlcat(wrqu->name, " link..", IFNAMSIZ);
return 0;
}
--
1.7.8.6
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists