Avoid null pointer arithmetic in rtw_mlme_ext.c by skipping other field
checks if the information element pointer is null.
Signed-off-by: Aymen Qader <[email protected]>
---
drivers/staging/rtl8188eu/core/rtw_mlme_ext.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c b/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
index 834053a0ae9d..8a3a71456cd0 100644
--- a/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
@@ -2971,8 +2971,10 @@ static unsigned int OnAssocReq(struct adapter *padapter,
/* checking SSID */
p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + ie_offset, _SSID_IE_, &ie_len,
pkt_len - WLAN_HDR_A3_LEN - ie_offset);
- if (!p)
+ if (!p) {
status = _STATS_FAILURE_;
+ goto OnAssocReqFail;
+ }
if (ie_len == 0) { /* broadcast ssid, however it is not allowed in assocreq */
status = _STATS_FAILURE_;
--
2.17.1
On 9/27/18 12:04 PM, Aymen Qader wrote:
> Avoid null pointer arithmetic in rtw_mlme_ext.c by skipping other field
> checks if the information element pointer is null.
>
> Signed-off-by: Aymen Qader <[email protected]>
> ---
> drivers/staging/rtl8188eu/core/rtw_mlme_ext.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c b/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
> index 834053a0ae9d..8a3a71456cd0 100644
> --- a/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
> +++ b/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
> @@ -2971,8 +2971,10 @@ static unsigned int OnAssocReq(struct adapter *padapter,
> /* checking SSID */
> p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + ie_offset, _SSID_IE_, &ie_len,
> pkt_len - WLAN_HDR_A3_LEN - ie_offset);
> - if (!p)
> + if (!p) {
> status = _STATS_FAILURE_;
> + goto OnAssocReqFail;
> + }
>
> if (ie_len == 0) { /* broadcast ssid, however it is not allowed in assocreq */
> status = _STATS_FAILURE_;
I do not think this patch avoids any pointer arithmetic. If p is NULL, then
ie_len will be zero and the branch with the memcmp() call, where the pointer
arithmetic is done, will be skipped.
That said, it is better to bail out with the first failure condition. I do not
require the following, but the code would be even simpler if you test p and
ie_len==0 in a single if statement and eliminate some code as in
diff --git a/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
b/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
index 1115050077e4..71722cec84a0 100644
--- a/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
@@ -2982,11 +2982,10 @@ static unsigned int OnAssocReq(struct adapter *padapter,
/* checking SSID */
p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + ie_offset, _SSID_IE_, &ie_len,
pkt_len - WLAN_HDR_A3_LEN - ie_offset);
- if (!p)
- status = _STATS_FAILURE_;
- if (ie_len == 0) { /* broadcast ssid, however it is not allowed in
assocreq */
+ if (!p || ie_len == 0) { /* broadcast ssid, however it is not allowed
in assocreq */
status = _STATS_FAILURE_;
+ goto OnAssocReqFail;
} else {
/* check if ssid match */
if (memcmp((void *)(p+2), cur->Ssid.Ssid, cur->Ssid.SsidLength))
ACKed-by: Larry Finger <[email protected]>
Thanks,
Larry
On Thu, Sep 27, 2018 at 03:52:53PM -0500, Larry Finger wrote:
> On 9/27/18 12:04 PM, Aymen Qader wrote:
> > Avoid null pointer arithmetic in rtw_mlme_ext.c by skipping other field
> > checks if the information element pointer is null.
> >
> > Signed-off-by: Aymen Qader <[email protected]>
> > ---
> > drivers/staging/rtl8188eu/core/rtw_mlme_ext.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c b/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
> > index 834053a0ae9d..8a3a71456cd0 100644
> > --- a/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
> > +++ b/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
> > @@ -2971,8 +2971,10 @@ static unsigned int OnAssocReq(struct adapter *padapter,
> > /* checking SSID */
> > p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + ie_offset, _SSID_IE_, &ie_len,
> > pkt_len - WLAN_HDR_A3_LEN - ie_offset);
> > - if (!p)
> > + if (!p) {
> > status = _STATS_FAILURE_;
> > + goto OnAssocReqFail;
> > + }
> > if (ie_len == 0) { /* broadcast ssid, however it is not allowed in assocreq */
> > status = _STATS_FAILURE_;
>
> I do not think this patch avoids any pointer arithmetic. If p is NULL, then
> ie_len will be zero and the branch with the memcmp() call, where the pointer
> arithmetic is done, will be skipped.
I'm sincerely sorry, you're completely right--that was a bad oversight
from me, I should have checked more thoroughly.
>
> That said, it is better to bail out with the first failure condition. I do
> not require the following, but the code would be even simpler if you test p
> and ie_len==0 in a single if statement and eliminate some code as in
>
> diff --git a/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
> b/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
> index 1115050077e4..71722cec84a0 100644
> --- a/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
> +++ b/drivers/staging/rtl8188eu/core/rtw_mlme_ext.c
> @@ -2982,11 +2982,10 @@ static unsigned int OnAssocReq(struct adapter *padapter,
> /* checking SSID */
> p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + ie_offset, _SSID_IE_, &ie_len,
> pkt_len - WLAN_HDR_A3_LEN - ie_offset);
> - if (!p)
> - status = _STATS_FAILURE_;
>
> - if (ie_len == 0) { /* broadcast ssid, however it is not allowed in
> assocreq */
> + if (!p || ie_len == 0) { /* broadcast ssid, however it is not
> allowed in assocreq */
> status = _STATS_FAILURE_;
> + goto OnAssocReqFail;
> } else {
> /* check if ssid match */
> if (memcmp((void *)(p+2), cur->Ssid.Ssid, cur->Ssid.SsidLength))
>
Yep, I understand that would be a lot better. If it's alright, I'll send
this in with a v2 (w/ a more appropriate commit message).
>
> ACKed-by: Larry Finger <[email protected]>
>
> Thanks,
>
> Larry
>
Kind regards,
Aymen