2017-03-16 23:24:39

by Colin King

Subject: [PATCH] staging: wilc1000: fix incorrect copy of pmkid data

From: Colin Ian King <[email protected]>

The pmkid data is meant be be copied to the previous item in the
pmkidlist, however the code is just copying the data to itself because
the src index into pmkidlist is the same as the dst index into pmkidlist.
Fix this with i + 1 instead of i.

Detected by CoverityScan,CID#13339465 ("Overlapping buffer in memory copy")

Signed-off-by: Colin Ian King <[email protected]>
---
drivers/staging/wilc1000/wilc_wfi_cfgoperations.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
index a37896f..4034f40 100644
--- a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
+++ b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
@@ -1346,7 +1346,7 @@ static int del_pmksa(struct wiphy *wiphy, struct net_device *netdev,
priv->pmkid_list.pmkidlist[i + 1].bssid,
ETH_ALEN);
memcpy(priv->pmkid_list.pmkidlist[i].pmkid,
- priv->pmkid_list.pmkidlist[i].pmkid,
+ priv->pmkid_list.pmkidlist[i + 1].pmkid,
PMKID_LEN);
}
priv->pmkid_list.numpmkid--;
--
2.10.2

2017-03-17 08:35:58

by walter harms

Subject: Re: [PATCH] staging: wilc1000: fix incorrect copy of pmkid data

Am 17.03.2017 00:21, schrieb Colin King:
> From: Colin Ian King <[email protected]>
>
> The pmkid data is meant be be copied to the previous item in the
> pmkidlist, however the code is just copying the data to itself because
> the src index into pmkidlist is the same as the dst index into pmkidlist.
> Fix this with i + 1 instead of i.
>
> Detected by CoverityScan,CID#13339465 ("Overlapping buffer in memory copy")
>
> Signed-off-by: Colin Ian King <[email protected]>
> ---
> drivers/staging/wilc1000/wilc_wfi_cfgoperations.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
> index a37896f..4034f40 100644
> --- a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
> +++ b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
> @@ -1346,7 +1346,7 @@ static int del_pmksa(struct wiphy *wiphy, struct net_device *netdev,
> priv->pmkid_list.pmkidlist[i + 1].bssid,
> ETH_ALEN);
> memcpy(priv->pmkid_list.pmkidlist[i].pmkid,
> - priv->pmkid_list.pmkidlist[i].pmkid,
> + priv->pmkid_list.pmkidlist[i + 1].pmkid,
> PMKID_LEN);
> }
> priv->pmkid_list.numpmkid--;



perhaps we can also simplify the error handling:
that would reduce the indentlevel by one and effectivly remove the s32Error variable.

if (i >= priv->pmkid_list.numpmkid || priv->pmkid_list.numpmkid <= 0)
return -EINVAL;


just my 2 cents.
re,
wh