Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3316966pxf;
        Mon, 5 Apr 2021 08:53:19 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzz6c2klby6wHlsKlc536kBMRkE50IcbY2paT97IjCkFqCW+ppgn/Qeq12phKUGQhUlKqls
X-Received: by 2002:a05:6e02:1a65:: with SMTP id w5mr20481687ilv.5.1617637999661;
        Mon, 05 Apr 2021 08:53:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617637999; cv=none;
        d=google.com; s=arc-20160816;
        b=dDNcOdGHv+wFPpX8O2ReD1nqovMCWaQggSrTYlMpaTsUcPwW6gw21jojdonlW3Ydx8
         4alzgJ2mZHX6R+X5FBDnxMx1w66IWwK0Snboha9V5Euw8TBnWmJaw3YS1URW0RoFkLNd
         adjLS29TBx3G2GidG5Y5UM2M0y4oKoZCDfxA8ZQdn2lACNZFM8WCeGWj+GVGk35RaD7C
         ecdVXVs8KjzZaAUiXCTNXLg2aVXDIdz7UCb+q6sxixcMIg7/eT7USeLAzjyo8FzujaYb
         ZvAWhLheUy93as1lhZuKNHC1efPEmISqStxhqHjemOwqhXES3n37yKRKNMj1DJyJAg4r
         9YRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=j8nNDT7ik287AGlh4V8xCc/+t7qPueCgmibQ66nhcD8=;
        b=WoQzD7X9fioYxtmrpng0WpyI769QHQ7Dk5ra+d8Fi8xHxQ4HwHGq962vBobrYG7OzC
         teYENP6GoQxgyUWa8KY/xme8gw9/tbGXXNrLGBwKDuN7JhSBMU/oQficBL3l7f0gpQBr
         TRiLZ6BVdJ3mRya+PuXJa/ZsDC0enmmnHkjy8yQ0MPp0oOFpExQ4RApZkB8+QBauvgb7
         f1OqsnhPuaXGV3vR5KfhEUW3LmfaiFKxNxYz3Zt7wUhAxvTWkRBUUGlnHx0iYRLTvGYk
         VrdCCHIPBLAanGHt3gFLp2mhJDkx/JXyrBIARkbXpw6iKz4FMKWRjv59kbef8j/N35ty
         WJCg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GBfTuQIZ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id w4si15098811ill.114.2021.04.05.08.53.07;
        Mon, 05 Apr 2021 08:53:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GBfTuQIZ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238366AbhDEJHf (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Mon, 5 Apr 2021 05:07:35 -0400
Received: from mail.kernel.org ([198.145.29.99]:49852 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S238078AbhDEJFl (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 5 Apr 2021 05:05:41 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 95776613A5;
        Mon,  5 Apr 2021 09:05:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1617613535;
        bh=6jV/f9eFRf6AafyyWRwu6QXjI+04Oryi/+TjtsHveLU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=GBfTuQIZeyTfDNN/9L+5RUhvVE62eK9NsUCflgP46vd4C6roz3ibFsY4fNOl3VQMF
         gLaEd/0e6qQiEInBqmNhUY3/HrQNL3DctOIs89mQM5z1Dq+mxlv9Pvr7QW7tJDMNlx
         96hrgINUUmy71Si58+pHp8Bfr4EyIAJs9410haNA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Atul Gopinathan <atulgopinathan@gmail.com>
Subject: [PATCH 5.4 73/74] staging: rtl8192e: Change state information from u16 to u8
Date:   Mon,  5 Apr 2021 10:54:37 +0200
Message-Id: <20210405085027.124276814@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210405085024.703004126@linuxfoundation.org>
References: <20210405085024.703004126@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Atul Gopinathan <atulgopinathan@gmail.com>

commit e78836ae76d20f38eed8c8c67f21db97529949da upstream.

The "u16 CcxRmState[2];" array field in struct "rtllib_network" has 4
bytes in total while the operations performed on this array through-out
the code base are only 2 bytes.

The "CcxRmState" field is fed only 2 bytes of data using memcpy():

(In rtllib_rx.c:1972)
	memcpy(network->CcxRmState, &info_element->data[4], 2)

With "info_element->data[]" being a u8 array, if 2 bytes are written
into "CcxRmState" (whose one element is u16 size), then the 2 u8
elements from "data[]" gets squashed and written into the first element
("CcxRmState[0]") while the second element ("CcxRmState[1]") is never
fed with any data.

Same in file rtllib_rx.c:2522:
	 memcpy(dst->CcxRmState, src->CcxRmState, 2);

The above line duplicates "src" data to "dst" but only writes 2 bytes
(and not 4, which is the actual size). Again, only 1st element gets the
value while the 2nd element remains uninitialized.

This later makes operations done with CcxRmState unpredictable in the
following lines as the 1st element is having a squashed number while the
2nd element is having an uninitialized random number.

rtllib_rx.c:1973:    if (network->CcxRmState[0] != 0)
rtllib_rx.c:1977:    network->MBssidMask = network->CcxRmState[1] & 0x07;

network->MBssidMask is also of type u8 and not u16.

Fix this by changing the type of "CcxRmState" from u16 to u8 so that the
data written into this array and read from it make sense and are not
random values.

NOTE: The wrong initialization of "CcxRmState" can be seen in the
following commit:

commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver")

The above commit created a file `rtl8192e/ieee80211.h` which used to
have the faulty line. The file has been deleted (or possibly renamed)
with the contents copied in to a new file `rtl8192e/rtllib.h` along with
additional code in the commit 94a799425eee (tagged in Fixes).

Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
Cc: stable@vger.kernel.org
Signed-off-by: Atul Gopinathan <atulgopinathan@gmail.com>
Link: https://lore.kernel.org/r/20210323113413.29179-2-atulgopinathan@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/rtl8192e/rtllib.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/rtl8192e/rtllib.h
+++ b/drivers/staging/rtl8192e/rtllib.h
@@ -1105,7 +1105,7 @@ struct rtllib_network {
 	bool	bWithAironetIE;
 	bool	bCkipSupported;
 	bool	bCcxRmEnable;
-	u16	CcxRmState[2];
+	u8	CcxRmState[2];
 	bool	bMBssidValid;
 	u8	MBssidMask;
 	u8	MBssid[ETH_ALEN];