lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 7 Nov 2022 21:27:44 +0100
From:   Martin Kaiser <martin@...ser.cx>
To:     Dan Carpenter <error27@...il.com>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Larry Finger <Larry.Finger@...inger.net>,
        Phillip Potter <phil@...lpotter.co.uk>,
        Michael Straube <straube.linux@...il.com>,
        Pavel Skripkin <paskripkin@...il.com>,
        linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/3] staging: r8188eu: use a qos_hdr in
 validate_recv_data_frame

Thus wrote Dan Carpenter (error27@...il.com):

> On Sun, Nov 06, 2022 at 06:04:53PM +0100, Martin Kaiser wrote:
> > Define a struct ieee80211_qos_hdr in the validate_recv_data_frame
> > function. Use this struct to replace some numeric offsets and make the
> > code easier to understand.

> > Signed-off-by: Martin Kaiser <martin@...ser.cx>
> > ---
> >  drivers/staging/r8188eu/core/rtw_recv.c | 9 +++++----
> >  1 file changed, 5 insertions(+), 4 deletions(-)

> > diff --git a/drivers/staging/r8188eu/core/rtw_recv.c b/drivers/staging/r8188eu/core/rtw_recv.c
> > index cb0f35d7ab98..245b931c483d 100644
> > --- a/drivers/staging/r8188eu/core/rtw_recv.c
> > +++ b/drivers/staging/r8188eu/core/rtw_recv.c
> > @@ -1032,7 +1032,6 @@ static int validate_recv_data_frame(struct adapter *adapter,
> >  				    struct recv_frame *precv_frame)
> >  {
> >  	struct sta_info *psta = NULL;
> > -	u8 *ptr = precv_frame->rx_data;
> >  	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)precv_frame->rx_data;
> >  	struct rx_pkt_attrib	*pattrib = &precv_frame->attrib;
> >  	struct security_priv	*psecuritypriv = &adapter->securitypriv;
> > @@ -1071,10 +1070,12 @@ static int validate_recv_data_frame(struct adapter *adapter,
> >  	pattrib->ack_policy = 0;
> >  	/* parsing QC field */
> >  	if (pattrib->qos) {
> > +		struct ieee80211_qos_hdr *qos_hdr = (struct ieee80211_qos_hdr *)hdr;
> > +
> >  		pattrib->priority = ieee80211_get_tid(hdr);
> > -		pattrib->ack_policy = GetAckpolicy((ptr + 24));
> > -		pattrib->amsdu = GetAMsdu((ptr + 24));
> > -		pattrib->hdrlen = 26;
>                                ^^^

> > +		pattrib->ack_policy = GetAckpolicy(&qos_hdr->qos_ctrl);
> > +		pattrib->amsdu = GetAMsdu(&qos_hdr->qos_ctrl);
> > +		pattrib->hdrlen += sizeof(*qos_hdr);
>                                ^^^^
> Why did this change from "=" to "+="?

Thanks a lot for spotting this, Dan!

I tried a couple of versions, some of which used +=. For the one I
submitted, this is wrong, of course.

All of pattrib is initialised to 0 in update_recvframe_attrib_88e and
pattrib->hdrlen is not updated until the assignment above. That's why
the += still works and testing didn't show the problem.

v2 is on the way...

Thanks again,

   Martin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ