lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Sat, 30 Jan 2016 16:37:49 -0800
From:	Joshua Clayton <stillcompiling@...il.com>
To:	Dan Carpenter <dan.carpenter@...cle.com>
Cc:	Larry Finger <Larry.Finger@...inger.net>,
	Florian Schilhabel <florian.c.schilhabel@...glemail.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Luis de Bethencourt <luisbg@....samsung.com>,
	Punit Vara <punitvara@...il.com>,
	Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
	Aya Mahfouz <mahfouz.saif.elyazal@...il.com>,
	Alison Schofield <amsfield22@...il.com>,
	devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org,
	kernel-janitors@...r.kernel.org
Subject: Re: [patch] staging: rtl8712: memory corruption in wpa_set_encryption()

On Saturday, January 30, 2016 05:41:10 PM Dan Carpenter wrote:
> ->KeyMaterial is declared as a 16 byte array, but we only ever allocate
> either 5 or 13 bytes of it.  The problem is that we memset() all 16
> bytes to zero so we're memsetting past the end of the allocated memory.
> 
> I fixed this in slightly lazy way, by just allocating 16 bytes.  This
> works but there is a lot more cleanup you could do to this code if you
> wanted.  Which is why this code is in staging.
Better in every way than a crazy variable alloc if you ask me.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> 
> diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> index edfc680..db2e31bc 100644
> --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> @@ -398,12 +398,9 @@ static int wpa_set_encryption(struct net_device *dev, struct ieee_param *param,
>  			wep_key_idx = 0;
>  		if (wep_key_len > 0) {
>  			wep_key_len = wep_key_len <= 5 ? 5 : 13;
> -			pwep = kmalloc((u32)(wep_key_len +
> -				FIELD_OFFSET(struct NDIS_802_11_WEP,
> -				KeyMaterial)), GFP_ATOMIC);
> +			pwep = kzalloc(sizeof(*pwep), GFP_ATOMIC);
>  			if (pwep == NULL)
>  				return -ENOMEM;
> -			memset(pwep, 0, sizeof(struct NDIS_802_11_WEP));

Should there be a newline after the "if" statement?
>  			pwep->KeyLength = wep_key_len;
>  			pwep->Length = wep_key_len +
>  				 FIELD_OFFSET(struct NDIS_802_11_WEP,

Powered by blists - more mailing lists