[PATCH] staging: rtl8723bs: Fix possible buffer overrun

Dan Carpenter dan.carpenter at oracle.com
Wed Nov 28 06:51:34 UTC 2018

The original code is OK.

On Wed, Nov 28, 2018 at 02:22:31AM +0000, Yang Xiao wrote:
> From: Young Xiao <YangX92 at hotmail.com>
> In routine rtw_report_sec_ie(), the code could set the length
> of the buffer to 256; however, that value is one larger than the
> corresponding memory allocation.
> See commit 8b7a13c3f404 ("staging: r8712u: Fix possible
> buffer overrun") for detail.

This bug is from 2012...  It's a real bug, but looking at things in
retrospect we probably didn't do the right fix.  The correct patch would
be to revert 8b7a13c3f404 and change this instead:

Can you send that?  Do it as one patch.  (Don't make it a revert commit,
that's just a headache, make it a normal patch with a Fixes tag).  The
commit message would look something like:

  In commit 8b7a13c3f404 ("staging: r8712u: Fix possible buffer
  overrun") we fix a potential off by one by making the limit smaller.
  The better fix is to make the buffer larger.  This makes it match up
  with the similar code in other drivers.  Blah blah blah.  Etc.

diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c b/drivers/staging/rtl8712/rtl871x_mlme.c
index a7374006a9fb..986a1d526918 100644
--- a/drivers/staging/rtl8712/rtl871x_mlme.c
+++ b/drivers/staging/rtl8712/rtl871x_mlme.c
@@ -1346,7 +1346,7 @@ sint r8712_restruct_sec_ie(struct _adapter *adapter, u8 *in_ie,
 		     u8 *out_ie, uint in_len)
 	u8 authmode = 0, match;
-	u8 sec_ie[255], uncst_oui[4], bkup_ie[255];
+	u8 sec_ie[IW_CUSTOM_MAX], uncst_oui[4], bkup_ie[255];
 	u8 wpa_oui[4] = {0x0, 0x50, 0xf2, 0x01};
 	uint ielength, cnt, remove_cnt;
 	int iEntry;

More information about the devel mailing list