All of lore.kernel.org
 help / color / mirror / Atom feed
From: Avinash Patil <patila@marvell.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: "linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Subject: RE: mwifiex: parse TDLS action frames during RX
Date: Mon, 1 Sep 2014 00:33:36 -0700	[thread overview]
Message-ID: <CBACCFA0AEB13A41977475BCF3E896FC4781147CC8@SC-VEXCH2.marvell.com> (raw)
In-Reply-To: <20140828132352.GD24477@mwanda>

Hi Dan,

Thanks for reporting static checker warning.
Patch has been submitted which ensures we do not copy beyond end.

Thanks,
Avinash.
________________________________________
From: Dan Carpenter [dan.carpenter@oracle.com]
Sent: Thursday, August 28, 2014 6:53 PM
To: Avinash Patil
Cc: linux-wireless@vger.kernel.org
Subject: re: mwifiex: parse TDLS action frames during RX

Hello Avinash Patil,

The patch 5f2caaf32bc6: "mwifiex: parse TDLS action frames during RX"
from Feb 7, 2014, leads to the following static checker warning:

        drivers/net/wireless/mwifiex/tdls.c:873 mwifiex_process_tdls_action_frame()
        error: '2 + pos[1]' from user is not capped properly

drivers/net/wireless/mwifiex/tdls.c
   868                          memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
   869                                 sizeof(struct ieee_types_header) +
   870                                 min_t(u8, pos[1], 8));
   871                          break;
   872                  case WLAN_EID_RSN:
   873                          memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
   874                                 sizeof(struct ieee_types_header) + pos[1]);

The ->rsn_ie buffer is 256 bytes large.
sizeof(struct ieee_types_header) is 2.
pos[1] is a number between 0-255.
This can write 1 byte beyond the end.

   875                          break;
   876                  case WLAN_EID_QOS_CAPA:
   877                          sta_ptr->tdls_cap.qos_info = pos[2];
   878                          break;

regards,
dan carpenter

  reply	other threads:[~2014-09-01  7:34 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-08-28 13:23 mwifiex: parse TDLS action frames during RX Dan Carpenter
2014-09-01  7:33 ` Avinash Patil [this message]
2014-09-01 18:53   ` Dan Carpenter
  -- strict thread matches above, loose matches on Subject: below --
2014-02-14  9:02 Dan Carpenter
2014-02-14  9:57 ` Avinash Patil

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CBACCFA0AEB13A41977475BCF3E896FC4781147CC8@SC-VEXCH2.marvell.com \
    --to=patila@marvell.com \
    --cc=dan.carpenter@oracle.com \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.