[PATCH] staging: rtl8723bs: Fix possible buffer overrun

Yang Xiao YangX92 at hotmail.com
Wed Nov 28 07:53:21 UTC 2018

Yes, you are right. I will send a new patch.


On 2018/11/28 14:51, Dan Carpenter wrote:
> The original code is OK.
> On Wed, Nov 28, 2018 at 02:22:31AM +0000, Yang Xiao wrote:
>> From: Young Xiao <YangX92 at hotmail.com>
>> In routine rtw_report_sec_ie(), the code could set the length
>> of the buffer to 256; however, that value is one larger than the
>> corresponding memory allocation.
>> See commit 8b7a13c3f404 ("staging: r8712u: Fix possible
>> buffer overrun") for detail.
> This bug is from 2012...  It's a real bug, but looking at things in
> retrospect we probably didn't do the right fix.  The correct patch would
> be to revert 8b7a13c3f404 and change this instead:
> Can you send that?  Do it as one patch.  (Don't make it a revert commit,
> that's just a headache, make it a normal patch with a Fixes tag).  The
> commit message would look something like:
>    In commit 8b7a13c3f404 ("staging: r8712u: Fix possible buffer
>    overrun") we fix a potential off by one by making the limit smaller.
>    The better fix is to make the buffer larger.  This makes it match up
>    with the similar code in other drivers.  Blah blah blah.  Etc.
> diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c b/drivers/staging/rtl8712/rtl871x_mlme.c
> index a7374006a9fb..986a1d526918 100644
> --- a/drivers/staging/rtl8712/rtl871x_mlme.c
> +++ b/drivers/staging/rtl8712/rtl871x_mlme.c
> @@ -1346,7 +1346,7 @@ sint r8712_restruct_sec_ie(struct _adapter *adapter, u8 *in_ie,
>   		     u8 *out_ie, uint in_len)
>   {
>   	u8 authmode = 0, match;
> -	u8 sec_ie[255], uncst_oui[4], bkup_ie[255];
> +	u8 sec_ie[IW_CUSTOM_MAX], uncst_oui[4], bkup_ie[255];
>   	u8 wpa_oui[4] = {0x0, 0x50, 0xf2, 0x01};
>   	uint ielength, cnt, remove_cnt;
>   	int iEntry;

More information about the devel mailing list