From: Avinash Patil <patila@marvell.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: "linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Subject: RE: mwifiex: parse TDLS action frames during RX
Date: Mon, 1 Sep 2014 00:33:36 -0700 [thread overview]
Message-ID: <CBACCFA0AEB13A41977475BCF3E896FC4781147CC8@SC-VEXCH2.marvell.com> (raw)
In-Reply-To: <20140828132352.GD24477@mwanda>
Hi Dan,
Thanks for reporting static checker warning.
Patch has been submitted which ensures we do not copy beyond end.
Thanks,
Avinash.
________________________________________
From: Dan Carpenter [dan.carpenter@oracle.com]
Sent: Thursday, August 28, 2014 6:53 PM
To: Avinash Patil
Cc: linux-wireless@vger.kernel.org
Subject: re: mwifiex: parse TDLS action frames during RX
Hello Avinash Patil,
The patch 5f2caaf32bc6: "mwifiex: parse TDLS action frames during RX"
from Feb 7, 2014, leads to the following static checker warning:
drivers/net/wireless/mwifiex/tdls.c:873 mwifiex_process_tdls_action_frame()
error: '2 + pos[1]' from user is not capped properly
drivers/net/wireless/mwifiex/tdls.c
868 memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
869 sizeof(struct ieee_types_header) +
870 min_t(u8, pos[1], 8));
871 break;
872 case WLAN_EID_RSN:
873 memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
874 sizeof(struct ieee_types_header) + pos[1]);
The ->rsn_ie buffer is 256 bytes large.
sizeof(struct ieee_types_header) is 2.
pos[1] is a number between 0-255.
This can write 1 byte beyond the end.
875 break;
876 case WLAN_EID_QOS_CAPA:
877 sta_ptr->tdls_cap.qos_info = pos[2];
878 break;
regards,
dan carpenter
next prev parent reply other threads:[~2014-09-01 7:34 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-28 13:23 mwifiex: parse TDLS action frames during RX Dan Carpenter
2014-09-01 7:33 ` Avinash Patil [this message]
2014-09-01 18:53 ` Dan Carpenter
-- strict thread matches above, loose matches on Subject: below --
2014-02-14 9:02 Dan Carpenter
2014-02-14 9:57 ` Avinash Patil
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CBACCFA0AEB13A41977475BCF3E896FC4781147CC8@SC-VEXCH2.marvell.com \
--to=patila@marvell.com \
--cc=dan.carpenter@oracle.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.