[report] staging: r8723au: rtw_report_sec_ie23a() is buggy
Jes Sorensen
Jes.Sorensen at redhat.com
Sun Apr 13 17:08:20 UTC 2014
Dan Carpenter <dan.carpenter at oracle.com> writes:
> Hello Larry, Jes,
>
> The rtw_report_sec_ie23a() is very buggy.
>
> 1) It uses GFP_KERNEL but the callers are holding a spinlock.
>
> rtw_select_and_join_from_scanned_queue23a() <- takes lock
> -> rtw_joinbss_cmd23a()
> -> rtw_restruct_sec_ie23a()
> -> rtw_report_sec_ie23a()
>
> 2) The sprintf() can overflow because we're putting over 512 characters
> into a IW_CUSTOM_MAX (256) character buffer.
>
> 3) It could actually be far worse than 512. It could be a forever
> loop! :P The "i" variable is declared as u8 so it will always be
> less than IW_CUSTOM_MAX (256).
>
> 4) What is the point of this function? It doesn't seem to store "buff"
> anywhere or do anything with "wrqu".
Dan,
I fixed it by ripping out the whole function, since it wasn't doing
anything at all.
Cheers,
Jes
More information about the devel
mailing list