| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZumuvP3aHiHHzGjp@smile.fi.intel.com> Date: Tue, 17 Sep 2024 19:30:52 +0300 From: Andy Shevchenko <andriy.shevchenko@...ux.intel.com> To: Alper Nebi Yasak <alpernebiyasak@...il.com> Cc: linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org, David Lin <yu-hao.lin@....com>, Dmitry Antipov <dmantipov@...dex.ru>, Brian Norris <briannorris@...omium.org>, Kalle Valo <kvalo@...nel.org>, Francesco Dolcini <francesco@...cini.it>, Sascha Hauer <s.hauer@...gutronix.de>, Kees Cook <kees@...nel.org>, "Gustavo A . R . Silva" <gustavoars@...nel.org>, Johannes Berg <johannes.berg@...el.com> Subject: Re: [PATCH] wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() On Tue, Sep 17, 2024 at 06:08:41PM +0300, Alper Nebi Yasak wrote: > Replace one-element array with a flexible-array member in `struct > mwifiex_ie_types_wildcard_ssid_params` to fix the following warning > on a MT8173 Chromebook (mt8173-elm-hana): > > [ 356.775250] ------------[ cut here ]------------ > [ 356.784543] memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1) > [ 356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex] > > The "(size 6)" above is exactly the length of the SSID of the network > this device was connected to. The source of the warning looks like: > > ssid_len = user_scan_in->ssid_list[i].ssid_len; > [...] > memcpy(wildcard_ssid_tlv->ssid, > user_scan_in->ssid_list[i].ssid, ssid_len); > > Also adjust a #define that uses sizeof() on this struct to keep the > value same as before. ... > #define WILDCARD_SSID_TLV_MAX_SIZE \ > (MWIFIEX_MAX_SSID_LIST_LENGTH * \ > (sizeof(struct mwifiex_ie_types_wildcard_ssid_params) \ > - + IEEE80211_MAX_SSID_LEN)) > + + IEEE80211_MAX_SSID_LEN + 1)) > This hunk has to be carefully checked by wireless people. I'm not sure that we need + 1 here. Otherwise, LGTM. -- With Best Regards, Andy Shevchenko
Powered by blists - more mailing lists