[patch 2/2] staging: r8188eu: overflow in rtw_p2p_get_go_device_address()

Dan Carpenter dan.carpenter at oracle.com
Fri Feb 7 11:21:56 UTC 2014


On Fri, Feb 07, 2014 at 11:46:26AM +0100, walter harms wrote:
> 
> 
> Am 03.02.2014 23:38, schrieb Dan Carpenter:
> > The go_devadd_str[] array is two characters too small to hold the
> > address so we corrupt memory.
> > 
> > I've changed the user space API slightly and I don't have a way to test
> > if this breaks anything.  In the original code we truncated away the
> > last digit of the address and the NUL terminator so it was already a bit
> > broken.
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> > 
> > diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> > index dec992569476..4ad80ae1067f 100644
> > --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> > +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> > @@ -3164,9 +3164,7 @@ static int rtw_p2p_get_go_device_address(struct net_device *dev,
> >  	u8 *p2pie;
> >  	uint p2pielen = 0, attr_contentlen = 0;
> >  	u8 attr_content[100] = {0x00};
> > -
> > -	u8 go_devadd_str[17 + 10] = {0x00};
> > -	/*  +10 is for the str "go_devadd =", we have to clear it at wrqu->data.pointer */
> > +	u8 go_devadd_str[17 + 12] = {};
> 
> 
> you are deleting the explanation for the magic numbers here,
> - intentionally  ?
> 

Yes.  The old explanation was misleading because the string is
"\n\ndev_add =" and not "go_devadd =".  The buffer is only used in one
location so the size is obvious and there is no need for a comment.

regards,
dan carpenter



More information about the devel mailing list