[PATCH] staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan
Dan Carpenter
dan.carpenter at oracle.com
Mon Mar 8 07:57:35 UTC 2021
On Fri, Mar 05, 2021 at 03:00:14PM +0000, Lee wrote:
>
> Hi Dan,
>
> Do you think any of these could be potential issues:
>
> driver/staging/
>
> rtl8192e/rtllib_rx.c:2442
memcpy(dst->ssid, src->ssid, src->ssid_len);
Smatch says that at this point we know "src->ssid_len" is in the 1-32
range. This is without any fixes to how Smatch parses nl_len().
> wlan-ng/cfg80211.c:316
313 if (request->n_ssids > 0) {
314 msg1.scantype.data = P80211ENUM_scantype_active;
315 msg1.ssid.data.len = request->ssids->ssid_len;
316 memcpy(msg1.ssid.data.data,
317 request->ssids->ssid, request->ssids->ssid_len);
318 } else {
The only thing Smatch knows about "request->ssids->ssid_len" is that
it's 0-255. I had not marked "msg1.ssid.data.data" as a protected
struct member so it didn't generate a warning.
I think cfg80211_scan_request structs are filled out in a systematic
way in ieee80211_request_ibss_scan() and they're bounds checked properly
so this isn't a bug.
> rtl8723bs/os_dep/ioctl_cfg80211.c:1591
> rtl8723bs/os_dep/ioctl_cfg80211.c:2738
Same.
regards,
dan carpenter
More information about the devel
mailing list