[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CABv53a9x_FbTY0=D_TGsHdS3XsUVg5M=S5WYVNdQXaVSC=XVYQ@mail.gmail.com>
Date: Tue, 24 Aug 2021 16:47:26 +0800
From: iLifetruth <yixiaonn@...il.com>
To: Fabio Aiuto <fabioaiuto83@...il.com>
Cc: gregkh@...uxfoundation.org, ross.schm.dev@...il.com,
marcocesati@...il.com, insafonov@...il.com,
linux-kernel@...r.kernel.org, Qiang Liu <cyruscyliu@...il.com>,
yajin@...kernel.org, hdegoede@...hat.com,
Larry.Finger@...inger.net, Martin Kaiser <martin@...ser.cx>,
Phillip Potter <phil@...lpotter.co.uk>,
Michael Straube <straube.linux@...il.com>,
fmdefrancesco@...il.com, linux-staging@...ts.linux.dev,
paskripkin@...il.com
Subject: Re: staging: possible buffer overflow in rtw_wx_set_scan function in driver/staging/rtl8723bs
On Tue, Aug 24, 2021 at 3:46 PM Fabio Aiuto <fabioaiuto83@...il.com> wrote:
>
> Hello,
>
> [sorry for resend, I updated the CC field]
>
> On Tue, Aug 24, 2021 at 03:04:04PM +0800, iLifetruth wrote:
> > Here are the fixes and the contents of the patch file we suggest.
> >
> > [PATCH]staging: rtl8723bs: prevent ->ssid overflow in rtw_wx_set_scan()
> >
> > This fixing patch is ported from the upstream commit
> > 74b6b20df8cf(staging: rtl8188eu: prevent ->ssid overflow in
> > rtw_wx_set_scan()) which fixes on another driver numbered rtl8188eu.
> > This code has a check to prevent read overflow but it needs another
> > check to prevent writing beyond the end of the ->ssid[] array in
> > driver rtl8723bs.
> >
> > ---
> > drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
> > b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
> > index f95000df8942..3b859b71bf43 100644
> > --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
> > +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
> > @@ -1222,9 +1222,9 @@ static int rtw_wx_set_scan(struct net_device
> > *dev, struct iw_request_info *a,
> >
> > sec_len = *(pos++); len -= 1;
> >
> > - if (sec_len > 0 && sec_len <= len) {
> > + if (sec_len > 0 && sec_len <= len &&
> > sec_len<= 32) {
> > ssid[ssid_index].SsidLength = sec_len;
> > - memcpy(ssid[ssid_index].Ssid,
> > pos, ssid[ssid_index].SsidLength);
> > + memcpy(ssid[ssid_index].Ssid,
> > pos, sec_len);
> > ssid_index++;
> > }
> >
> > --
> >
> > Thanks for your confirmation,
> > - iLifetruth
> >
>
> the patch looks fine. Just some points:
>
> - If the patch related to wext support removal will
> be accepted, the patch isn't necessary. So I will wait
> until I know the community-maintainer decision.
>
OK, I see the situation now, and I will submit a relevant patch to the
Linux-staging tree at a suitable time.
Powered by blists - more mailing lists