lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Jan 2016 16:37:49 -0800 From: Joshua Clayton <stillcompiling@...il.com> To: Dan Carpenter <dan.carpenter@...cle.com> Cc: Larry Finger <Larry.Finger@...inger.net>, Florian Schilhabel <florian.c.schilhabel@...glemail.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Luis de Bethencourt <luisbg@....samsung.com>, Punit Vara <punitvara@...il.com>, Andy Shevchenko <andriy.shevchenko@...ux.intel.com>, Aya Mahfouz <mahfouz.saif.elyazal@...il.com>, Alison Schofield <amsfield22@...il.com>, devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org Subject: Re: [patch] staging: rtl8712: memory corruption in wpa_set_encryption() On Saturday, January 30, 2016 05:41:10 PM Dan Carpenter wrote: > ->KeyMaterial is declared as a 16 byte array, but we only ever allocate > either 5 or 13 bytes of it. The problem is that we memset() all 16 > bytes to zero so we're memsetting past the end of the allocated memory. > > I fixed this in slightly lazy way, by just allocating 16 bytes. This > works but there is a lot more cleanup you could do to this code if you > wanted. Which is why this code is in staging. Better in every way than a crazy variable alloc if you ask me. > > Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com> > > diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c > index edfc680..db2e31bc 100644 > --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c > +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c > @@ -398,12 +398,9 @@ static int wpa_set_encryption(struct net_device *dev, struct ieee_param *param, > wep_key_idx = 0; > if (wep_key_len > 0) { > wep_key_len = wep_key_len <= 5 ? 5 : 13; > - pwep = kmalloc((u32)(wep_key_len + > - FIELD_OFFSET(struct NDIS_802_11_WEP, > - KeyMaterial)), GFP_ATOMIC); > + pwep = kzalloc(sizeof(*pwep), GFP_ATOMIC); > if (pwep == NULL) > return -ENOMEM; > - memset(pwep, 0, sizeof(struct NDIS_802_11_WEP)); Should there be a newline after the "if" statement? > pwep->KeyLength = wep_key_len; > pwep->Length = wep_key_len + > FIELD_OFFSET(struct NDIS_802_11_WEP,
Powered by blists - more mailing lists