[PATCH 05/21] staging: rtl8188eu: ternary operator (?:) replaced by min/max kernel macro

Dan Carpenter dan.carpenter at oracle.com
Mon Oct 26 09:06:38 UTC 2015


On Sat, Oct 24, 2015 at 08:42:29PM +0700, Ivan Safonov wrote:
> diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> index 98bdc95..735e24b 100644
> --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
> @@ -2669,7 +2669,7 @@ static int rtw_get_sta_wpaie(struct net_device *dev, struct ieee_param *param)
>  			int copy_len;
>  
>  			wpa_ie_len = psta->wpa_ie[1];
> -			copy_len = ((wpa_ie_len+2) > sizeof(psta->wpa_ie)) ? (sizeof(psta->wpa_ie)) : (wpa_ie_len+2);
> +			copy_len = min(wpa_ie_len + 2, (int)sizeof(psta->wpa_ie));
>  			param->u.wpa_ie.len = copy_len;
>  			memcpy(param->u.wpa_ie.reserved, psta->wpa_ie, copy_len);


In the original code if "wpa_ie_len + 2" was negative then copy_len is
sizeof(psta->wpa_ie), but in the new code copy_len is a negative
number and the memcpy() will corrupt memory and crash the system.

regards,
dan carpenter



More information about the devel mailing list