| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2214433.RePI7YjxKq@diplodocus>
Date: Sat, 30 Jan 2016 16:37:49 -0800
From: Joshua Clayton <stillcompiling@...il.com>
To: Dan Carpenter <dan.carpenter@...cle.com>
Cc: Larry Finger <Larry.Finger@...inger.net>,
Florian Schilhabel <florian.c.schilhabel@...glemail.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Luis de Bethencourt <luisbg@....samsung.com>,
Punit Vara <punitvara@...il.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Aya Mahfouz <mahfouz.saif.elyazal@...il.com>,
Alison Schofield <amsfield22@...il.com>,
devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: Re: [patch] staging: rtl8712: memory corruption in wpa_set_encryption()
On Saturday, January 30, 2016 05:41:10 PM Dan Carpenter wrote:
> ->KeyMaterial is declared as a 16 byte array, but we only ever allocate
> either 5 or 13 bytes of it. The problem is that we memset() all 16
> bytes to zero so we're memsetting past the end of the allocated memory.
>
> I fixed this in slightly lazy way, by just allocating 16 bytes. This
> works but there is a lot more cleanup you could do to this code if you
> wanted. Which is why this code is in staging.
Better in every way than a crazy variable alloc if you ask me.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
>
> diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> index edfc680..db2e31bc 100644
> --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> @@ -398,12 +398,9 @@ static int wpa_set_encryption(struct net_device *dev, struct ieee_param *param,
> wep_key_idx = 0;
> if (wep_key_len > 0) {
> wep_key_len = wep_key_len <= 5 ? 5 : 13;
> - pwep = kmalloc((u32)(wep_key_len +
> - FIELD_OFFSET(struct NDIS_802_11_WEP,
> - KeyMaterial)), GFP_ATOMIC);
> + pwep = kzalloc(sizeof(*pwep), GFP_ATOMIC);
> if (pwep == NULL)
> return -ENOMEM;
> - memset(pwep, 0, sizeof(struct NDIS_802_11_WEP));
Should there be a newline after the "if" statement?
> pwep->KeyLength = wep_key_len;
> pwep->Length = wep_key_len +
> FIELD_OFFSET(struct NDIS_802_11_WEP,
Powered by blists - more mailing lists