[smatch stuff] rtl8712: potential memory corruption in r8712_set_key()
Dan Carpenter
dan.carpenter at oracle.com
Thu Oct 6 14:26:15 UTC 2011
Hi Larry,
My testing version of Smatch has a new warning, and I was wondering
if you could take a look:
drivers/staging/rtl8712/rtl871x_mlme.c +1286 r8712_set_key(41)
warn: buffer overflow 'psecuritypriv->XGrpKey' 2 <= 2
drivers/staging/rtl8712/rtl871x_mlme.c
1283 case _TKIP_:
1284 keylen = 16;
1285 memcpy(psetkeyparm->key,
1286 &psecuritypriv->XGrpKey[keyid - 1], keylen);
^^^^^^^^^^^^^^^^^^^
->XGrpKey[] has two elements.
keyid comes from user calling the ioctl. It's capped between 0 and
3 by the callers. So either -1 or or 2 would be outside of the array.
1287 psetkeyparm->grpkey = 1;
1288 break;
1289 case _AES_:
1290 keylen = 16;
1291 memcpy(psetkeyparm->key,
1292 &psecuritypriv->XGrpKey[keyid - 1], keylen);
^^^^^^^^^^^^^^^^^^^^
Same thing.
1293 psetkeyparm->grpkey = 1;
1294 break;
I don't know the code so well so maybe I've misunderstood how this
works.
regards,
dan carpenter
More information about the devel
mailing list