* re: mwifiex: parse TDLS action frames during RX
@ 2014-02-14 9:02 Dan Carpenter
2014-02-14 9:57 ` Avinash Patil
0 siblings, 1 reply; 5+ messages in thread
From: Dan Carpenter @ 2014-02-14 9:02 UTC (permalink / raw)
To: patila; +Cc: linux-wireless, Bing Zhao
Hello Avinash Patil,
The patch 5f2caaf32bc6: "mwifiex: parse TDLS action frames during RX"
from Feb 7, 2014, leads to the following static checker warning:
drivers/net/wireless/mwifiex/tdls.c:820 mwifiex_process_tdls_action_frame()
error: memcpy() '&sta_ptr->tdls_cap.rsn_ie' too small (256 vs 257)
drivers/net/wireless/mwifiex/tdls.c
814 case WLAN_EID_EXT_CAPABILITY:
815 memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
816 sizeof(struct ieee_types_header) +
817 min_t(u8, pos[1], 8));
818 break;
819 case WLAN_EID_RSN:
820 memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
821 sizeof(struct ieee_types_header) + pos[1]);
Smatch thinks pos[] is untrusted data because it comes from skb->data
in mwifiex_process_rx_packet().
sta_ptr->tdls_cap.rsn_ie is defined like:
struct ieee_types_generic {
struct ieee_types_header ieee_hdr;
u8 data[IEEE_MAX_IE_SIZE - sizeof(struct ieee_types_header)];
} __packed;
So it is IEEE_MAX_IE_SIZE (256) bytes long. Meanwhile the memcpy()
limit is 2 + 0xff, so it's 257 and we are corrupting a byte past the end
of the struct.
822 break;
823 case WLAN_EID_QOS_CAPA:
824 sta_ptr->tdls_cap.qos_info = pos[2];
825 break;
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: mwifiex: parse TDLS action frames during RX
2014-02-14 9:02 mwifiex: parse TDLS action frames during RX Dan Carpenter
@ 2014-02-14 9:57 ` Avinash Patil
0 siblings, 0 replies; 5+ messages in thread
From: Avinash Patil @ 2014-02-14 9:57 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-wireless, Bing Zhao
Hi Dan,
Thanks for reporting the issue.
I will submit a patch to fix this warning.
Thanks and Regards,
Avinash Patil
-----Original Message-----
From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
Sent: Friday, February 14, 2014 2:33 PM
To: Avinash Patil
Cc: linux-wireless@vger.kernel.org; Bing Zhao
Subject: re: mwifiex: parse TDLS action frames during RX
Hello Avinash Patil,
The patch 5f2caaf32bc6: "mwifiex: parse TDLS action frames during RX"
from Feb 7, 2014, leads to the following static checker warning:
drivers/net/wireless/mwifiex/tdls.c:820 mwifiex_process_tdls_action_frame()
error: memcpy() '&sta_ptr->tdls_cap.rsn_ie' too small (256 vs 257)
drivers/net/wireless/mwifiex/tdls.c
814 case WLAN_EID_EXT_CAPABILITY:
815 memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
816 sizeof(struct ieee_types_header) +
817 min_t(u8, pos[1], 8));
818 break;
819 case WLAN_EID_RSN:
820 memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
821 sizeof(struct ieee_types_header) + pos[1]);
Smatch thinks pos[] is untrusted data because it comes from skb->data
in mwifiex_process_rx_packet().
sta_ptr->tdls_cap.rsn_ie is defined like:
struct ieee_types_generic {
struct ieee_types_header ieee_hdr;
u8 data[IEEE_MAX_IE_SIZE - sizeof(struct ieee_types_header)];
} __packed;
So it is IEEE_MAX_IE_SIZE (256) bytes long. Meanwhile the memcpy()
limit is 2 + 0xff, so it's 257 and we are corrupting a byte past the end
of the struct.
822 break;
823 case WLAN_EID_QOS_CAPA:
824 sta_ptr->tdls_cap.qos_info = pos[2];
825 break;
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: mwifiex: parse TDLS action frames during RX
2014-09-01 7:33 ` Avinash Patil
@ 2014-09-01 18:53 ` Dan Carpenter
0 siblings, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2014-09-01 18:53 UTC (permalink / raw)
To: Avinash Patil; +Cc: linux-wireless
On Mon, Sep 01, 2014 at 12:33:36AM -0700, Avinash Patil wrote:
> Hi Dan,
>
> Thanks for reporting static checker warning.
> Patch has been submitted which ensures we do not copy beyond end.
>
Great! Thanks! Do you have a link to the patch?
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: mwifiex: parse TDLS action frames during RX
2014-08-28 13:23 Dan Carpenter
@ 2014-09-01 7:33 ` Avinash Patil
2014-09-01 18:53 ` Dan Carpenter
0 siblings, 1 reply; 5+ messages in thread
From: Avinash Patil @ 2014-09-01 7:33 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-wireless
Hi Dan,
Thanks for reporting static checker warning.
Patch has been submitted which ensures we do not copy beyond end.
Thanks,
Avinash.
________________________________________
From: Dan Carpenter [dan.carpenter@oracle.com]
Sent: Thursday, August 28, 2014 6:53 PM
To: Avinash Patil
Cc: linux-wireless@vger.kernel.org
Subject: re: mwifiex: parse TDLS action frames during RX
Hello Avinash Patil,
The patch 5f2caaf32bc6: "mwifiex: parse TDLS action frames during RX"
from Feb 7, 2014, leads to the following static checker warning:
drivers/net/wireless/mwifiex/tdls.c:873 mwifiex_process_tdls_action_frame()
error: '2 + pos[1]' from user is not capped properly
drivers/net/wireless/mwifiex/tdls.c
868 memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
869 sizeof(struct ieee_types_header) +
870 min_t(u8, pos[1], 8));
871 break;
872 case WLAN_EID_RSN:
873 memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
874 sizeof(struct ieee_types_header) + pos[1]);
The ->rsn_ie buffer is 256 bytes large.
sizeof(struct ieee_types_header) is 2.
pos[1] is a number between 0-255.
This can write 1 byte beyond the end.
875 break;
876 case WLAN_EID_QOS_CAPA:
877 sta_ptr->tdls_cap.qos_info = pos[2];
878 break;
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread
* re: mwifiex: parse TDLS action frames during RX
@ 2014-08-28 13:23 Dan Carpenter
2014-09-01 7:33 ` Avinash Patil
0 siblings, 1 reply; 5+ messages in thread
From: Dan Carpenter @ 2014-08-28 13:23 UTC (permalink / raw)
To: patila; +Cc: linux-wireless
Hello Avinash Patil,
The patch 5f2caaf32bc6: "mwifiex: parse TDLS action frames during RX"
from Feb 7, 2014, leads to the following static checker warning:
drivers/net/wireless/mwifiex/tdls.c:873 mwifiex_process_tdls_action_frame()
error: '2 + pos[1]' from user is not capped properly
drivers/net/wireless/mwifiex/tdls.c
868 memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
869 sizeof(struct ieee_types_header) +
870 min_t(u8, pos[1], 8));
871 break;
872 case WLAN_EID_RSN:
873 memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
874 sizeof(struct ieee_types_header) + pos[1]);
The ->rsn_ie buffer is 256 bytes large.
sizeof(struct ieee_types_header) is 2.
pos[1] is a number between 0-255.
This can write 1 byte beyond the end.
875 break;
876 case WLAN_EID_QOS_CAPA:
877 sta_ptr->tdls_cap.qos_info = pos[2];
878 break;
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-09-01 18:54 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-02-14 9:02 mwifiex: parse TDLS action frames during RX Dan Carpenter
2014-02-14 9:57 ` Avinash Patil
2014-08-28 13:23 Dan Carpenter
2014-09-01 7:33 ` Avinash Patil
2014-09-01 18:53 ` Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.