| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Sep 2015 17:21:28 +0200 From: "PaX Team" <pageexec@...email.hu> To: Amitkumar Karwar <akarwar@...vell.com> CC: Avinash Patil <patila@...vell.com>, Kalle Valo <kvalo@...eaurora.org>, linux-wireless@...r.kernel.org, netdev@...r.kernel.org, re.emese@...il.com, spender@...ecurity.net Subject: question about potential integer truncation in mwifiex_set_wapi_ie and mwifiex_set_wps_ie hi all, in drivers/net/wireless/mwifiex/sta_ioctl.c the following functions mwifiex_set_wpa_ie_helper mwifiex_set_wapi_ie mwifiex_set_wps_ie can truncate the incoming ie_len argument from u16 to u8 when it gets stored in mwifiex_private.wpa_ie_len, mwifiex_private.wapi_ie_len and mwifiex_private.wps_ie_len, respectively. based on some light code reading it seems a length value of 256 is valid (IEEE_MAX_IE_SIZE and MWIFIEX_MAX_VSIE_LEN seem to limit it) and thus would get truncated to 0 when stored in those u8 fields. the question is whether this is intentional or a bug somewhere. FTR, this issue was detected with the upcoming version of the size overflow plugin we have in PaX/grsecurity and there're a handful of similar cases in the tree where potentially unwanted or unnecessary integer truncations occur, this being one of these. any opinion/help is welcome! cheers, PaX Team -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists