2012-07-02 12:40:03

by Thomas Huehn

Subject: [PATCH] mac80211: fix kzalloc memory corruption introduced in minstrel_ht

The patch: "mac80211: correct size the argument to
kzalloc in minstrel_ht" (from Jun 29, 2012), leads to memory corruption.
"msp->ratelist" is a void pointer - therfore going back to the
expicit form: sizeof(struct minstrel_rate) which brings back correct
memory allocation.

Reported-by: Fengguang Wu <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Thomas Huehn <[email protected]>
---
net/mac80211/rc80211_minstrel_ht.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index 1ca8f2b..f9e51ef 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -813,7 +813,7 @@ minstrel_ht_alloc_sta(void *priv, struct ieee80211_sta *sta, gfp_t gfp)
if (!msp)
return NULL;

- msp->ratelist = kzalloc(sizeof(*msp->ratelist) * max_rates, gfp);
+ msp->ratelist = kzalloc(sizeof(struct minstrel_rate) * max_rates, gfp);
if (!msp->ratelist)
goto error;

--
1.7.10.4

2012-07-05 14:52:30

by John W. Linville

Subject: Re: [PATCH] mac80211: fix kzalloc memory corruption introduced in minstrel_ht

On Mon, Jul 02, 2012 at 02:39:52PM +0200, Thomas Huehn wrote:
> The patch: "mac80211: correct size the argument to
> kzalloc in minstrel_ht" (from Jun 29, 2012), leads to memory corruption.
> "msp->ratelist" is a void pointer - therfore going back to the
> expicit form: sizeof(struct minstrel_rate) which brings back correct
> memory allocation.
>
> Reported-by: Fengguang Wu <[email protected]>
> Reported-by: Dan Carpenter <[email protected]>
> Signed-off-by: Thomas Huehn <[email protected]>
> ---
> net/mac80211/rc80211_minstrel_ht.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
> index 1ca8f2b..f9e51ef 100644
> --- a/net/mac80211/rc80211_minstrel_ht.c
> +++ b/net/mac80211/rc80211_minstrel_ht.c
> @@ -813,7 +813,7 @@ minstrel_ht_alloc_sta(void *priv, struct ieee80211_sta *sta, gfp_t gfp)
> if (!msp)
> return NULL;
>
> - msp->ratelist = kzalloc(sizeof(*msp->ratelist) * max_rates, gfp);
> + msp->ratelist = kzalloc(sizeof(struct minstrel_rate) * max_rates, gfp);
> if (!msp->ratelist)
> goto error;
>

Johannes, I'm grabbing this one now.

--
John W. Linville Someday the world will need a hero, and you
[email protected] might be all we have. Be ready.