[smatch stuff] rtl8712: potential memory corruption in r8712_set_key()

Dan Carpenter dan.carpenter at oracle.com
Thu Oct 6 14:26:15 UTC 2011


Hi Larry,

My testing version of Smatch has a new warning, and I was wondering
if you could take a look:

drivers/staging/rtl8712/rtl871x_mlme.c +1286 r8712_set_key(41)
	warn: buffer overflow 'psecuritypriv->XGrpKey' 2 <= 2

drivers/staging/rtl8712/rtl871x_mlme.c
  1283          case _TKIP_:
  1284                  keylen = 16;
  1285                  memcpy(psetkeyparm->key,
  1286                          &psecuritypriv->XGrpKey[keyid - 1], keylen);
                                              ^^^^^^^^^^^^^^^^^^^
->XGrpKey[] has two elements.
keyid comes from user calling the ioctl.  It's capped between 0 and
3 by the callers.  So either -1 or or 2 would be outside of the array.

  1287                  psetkeyparm->grpkey = 1;
  1288                  break;
  1289          case _AES_:
  1290                  keylen = 16;
  1291                  memcpy(psetkeyparm->key,
  1292                          &psecuritypriv->XGrpKey[keyid - 1], keylen);
                                              ^^^^^^^^^^^^^^^^^^^^
Same thing.

  1293                  psetkeyparm->grpkey = 1;
  1294                  break;

I don't know the code so well so maybe I've misunderstood how this
works.

regards,
dan carpenter




More information about the devel mailing list