| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180430125040.GA19050@embeddedor.com>
Date: Mon, 30 Apr 2018 07:50:40 -0500
From: "Gustavo A. R. Silva" <gustavo@...eddedor.com>
To: Ajay Singh <ajay.kathat@...rochip.com>,
Ganesh Krishna <ganesh.krishna@...rochip.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: linux-wireless@...r.kernel.org, devel@...verdev.osuosl.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org,
"Gustavo A. R. Silva" <gustavo@...eddedor.com>
Subject: [PATCH] staging: wilc1000: fix infinite loop and out-of-bounds access
If i < slot_id is initially true then it will remain true. Also,
as i is being decremented it will end up accessing memory out of
bounds.
Fix this by incrementing *i* instead of decrementing it.
Addresses-Coverity-ID: 1468454 ("Infinite loop")
Fixes: faa657641081 ("staging: wilc1000: refactor scan() to free kmalloc
memory on failure cases")
Signed-off-by: Gustavo A. R. Silva <gustavo@...eddedor.com>
---
BTW... at first sight it seems to me that variables slot_id
and i should be of type unsigned instead of signed.
drivers/staging/wilc1000/wilc_wfi_cfgoperations.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
index 3ca0c97..67104e8 100644
--- a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
+++ b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
@@ -608,7 +608,7 @@ wilc_wfi_cfg_alloc_fill_ssid(struct cfg80211_scan_request *request,
out_free:
- for (i = 0; i < slot_id ; i--)
+ for (i = 0; i < slot_id; i++)
kfree(ntwk->net_info[i].ssid);
kfree(ntwk->net_info);
--
2.7.4
Powered by blists - more mailing lists