strcpy() performs no bounds checking on the destination buffer. This
could result in linear overflows beyond the end of the buffer, leading
to all kinds of misbehaviors. The safe replacement is strscpy().
Signed-off-by: Len Baker <[email protected]>
---
drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c | 2 +-
drivers/staging/rtl8192e/rtllib_softmac.c | 3 ++-
drivers/staging/rtl8192e/rtllib_softmac_wx.c | 2 +-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c b/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c
index b626ac45db80..358b629d2cc6 100644
--- a/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c
+++ b/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c
@@ -2167,7 +2167,7 @@ rtl92e_init_variables(struct net_device *dev)
{
struct r8192_priv *priv = rtllib_priv(dev);
- strcpy(priv->nick, "rtl8192E");
+ strscpy(priv->nick, "rtl8192E", sizeof(priv->nick));
priv->rtllib->softmac_features = IEEE_SOFTMAC_SCAN |
IEEE_SOFTMAC_ASSOCIATE | IEEE_SOFTMAC_PROBERQ |
diff --git a/drivers/staging/rtl8192e/rtllib_softmac.c b/drivers/staging/rtl8192e/rtllib_softmac.c
index 25b3d3950a3c..d2726d01c757 100644
--- a/drivers/staging/rtl8192e/rtllib_softmac.c
+++ b/drivers/staging/rtl8192e/rtllib_softmac.c
@@ -2582,7 +2582,8 @@ static void rtllib_start_ibss_wq(void *data)
mutex_lock(&ieee->wx_mutex);
if (ieee->current_network.ssid_len == 0) {
- strcpy(ieee->current_network.ssid, RTLLIB_DEFAULT_TX_ESSID);
+ strscpy(ieee->current_network.ssid, RTLLIB_DEFAULT_TX_ESSID,
+ sizeof(ieee->current_network.ssid));
ieee->current_network.ssid_len = strlen(RTLLIB_DEFAULT_TX_ESSID);
ieee->ssid_set = 1;
}
diff --git a/drivers/staging/rtl8192e/rtllib_softmac_wx.c b/drivers/staging/rtl8192e/rtllib_softmac_wx.c
index f89799d43b1b..5968407c646d 100644
--- a/drivers/staging/rtl8192e/rtllib_softmac_wx.c
+++ b/drivers/staging/rtl8192e/rtllib_softmac_wx.c
@@ -543,7 +543,7 @@ int rtllib_wx_get_name(struct rtllib_device *ieee,
struct iw_request_info *info,
union iwreq_data *wrqu, char *extra)
{
- strcpy(wrqu->name, "802.11");
+ strscpy(wrqu->name, "802.11", sizeof(wrqu->name));
if (ieee->modulation & RTLLIB_CCK_MODULATION)
strcat(wrqu->name, "b");
--
2.25.1
On Sun, Jul 18, 2021 at 11:06:36AM +0200, Len Baker wrote:
> diff --git a/drivers/staging/rtl8192e/rtllib_softmac_wx.c b/drivers/staging/rtl8192e/rtllib_softmac_wx.c
> index f89799d43b1b..5968407c646d 100644
> --- a/drivers/staging/rtl8192e/rtllib_softmac_wx.c
> +++ b/drivers/staging/rtl8192e/rtllib_softmac_wx.c
> @@ -543,7 +543,7 @@ int rtllib_wx_get_name(struct rtllib_device *ieee,
> struct iw_request_info *info,
> union iwreq_data *wrqu, char *extra)
> {
> - strcpy(wrqu->name, "802.11");
> + strscpy(wrqu->name, "802.11", sizeof(wrqu->name));
>
> if (ieee->modulation & RTLLIB_CCK_MODULATION)
> strcat(wrqu->name, "b");
This patch is just about silencing inferior static analysis tools,
right? Most checkers can figure out the size of the array and verify
that it has space for "802.11". Probably it's only raw grep which
can't.
It doesn't make sense to me that we have strscpy() followed by strcat.
So let's fix both.
regards,
dan carpenter
Hi,
On Mon, Jul 19, 2021 at 08:43:45AM +0300, Dan Carpenter wrote:
> On Sun, Jul 18, 2021 at 11:06:36AM +0200, Len Baker wrote:
> > diff --git a/drivers/staging/rtl8192e/rtllib_softmac_wx.c b/drivers/staging/rtl8192e/rtllib_softmac_wx.c
> > index f89799d43b1b..5968407c646d 100644
> > --- a/drivers/staging/rtl8192e/rtllib_softmac_wx.c
> > +++ b/drivers/staging/rtl8192e/rtllib_softmac_wx.c
> > @@ -543,7 +543,7 @@ int rtllib_wx_get_name(struct rtllib_device *ieee,
> > struct iw_request_info *info,
> > union iwreq_data *wrqu, char *extra)
> > {
> > - strcpy(wrqu->name, "802.11");
> > + strscpy(wrqu->name, "802.11", sizeof(wrqu->name));
> >
> > if (ieee->modulation & RTLLIB_CCK_MODULATION)
> > strcat(wrqu->name, "b");
>
> This patch is just about silencing inferior static analysis tools,
> right? Most checkers can figure out the size of the array and verify
> that it has space for "802.11". Probably it's only raw grep which
> can't.
>
> It doesn't make sense to me that we have strscpy() followed by strcat.
> So let's fix both.
Ok, I will send a v2 for review. Thanks for the feedback.
>
> regards,
> dan carpenter
Regards,
Len