2014-08-28 13:25:21

by Dan Carpenter

[permalink] [raw]
Subject: re: mwifiex: parse TDLS action frames during RX

Hello Avinash Patil,

The patch 5f2caaf32bc6: "mwifiex: parse TDLS action frames during RX"
from Feb 7, 2014, leads to the following static checker warning:

drivers/net/wireless/mwifiex/tdls.c:873 mwifiex_process_tdls_action_frame()
error: '2 + pos[1]' from user is not capped properly

drivers/net/wireless/mwifiex/tdls.c
868 memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
869 sizeof(struct ieee_types_header) +
870 min_t(u8, pos[1], 8));
871 break;
872 case WLAN_EID_RSN:
873 memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
874 sizeof(struct ieee_types_header) + pos[1]);

The ->rsn_ie buffer is 256 bytes large.
sizeof(struct ieee_types_header) is 2.
pos[1] is a number between 0-255.
This can write 1 byte beyond the end.

875 break;
876 case WLAN_EID_QOS_CAPA:
877 sta_ptr->tdls_cap.qos_info = pos[2];
878 break;

regards,
dan carpenter


2014-09-01 18:54:07

by Dan Carpenter

[permalink] [raw]
Subject: Re: mwifiex: parse TDLS action frames during RX

On Mon, Sep 01, 2014 at 12:33:36AM -0700, Avinash Patil wrote:
> Hi Dan,
>
> Thanks for reporting static checker warning.
> Patch has been submitted which ensures we do not copy beyond end.
>

Great! Thanks! Do you have a link to the patch?

regards,
dan carpenter


2014-09-01 07:34:42

by Avinash Patil

[permalink] [raw]
Subject: RE: mwifiex: parse TDLS action frames during RX

Hi Dan,

Thanks for reporting static checker warning.
Patch has been submitted which ensures we do not copy beyond end.

Thanks,
Avinash.
________________________________________
From: Dan Carpenter [[email protected]]
Sent: Thursday, August 28, 2014 6:53 PM
To: Avinash Patil
Cc: [email protected]
Subject: re: mwifiex: parse TDLS action frames during RX

Hello Avinash Patil,

The patch 5f2caaf32bc6: "mwifiex: parse TDLS action frames during RX"
from Feb 7, 2014, leads to the following static checker warning:

drivers/net/wireless/mwifiex/tdls.c:873 mwifiex_process_tdls_action_frame()
error: '2 + pos[1]' from user is not capped properly

drivers/net/wireless/mwifiex/tdls.c
868 memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
869 sizeof(struct ieee_types_header) +
870 min_t(u8, pos[1], 8));
871 break;
872 case WLAN_EID_RSN:
873 memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
874 sizeof(struct ieee_types_header) + pos[1]);

The ->rsn_ie buffer is 256 bytes large.
sizeof(struct ieee_types_header) is 2.
pos[1] is a number between 0-255.
This can write 1 byte beyond the end.

875 break;
876 case WLAN_EID_QOS_CAPA:
877 sta_ptr->tdls_cap.qos_info = pos[2];
878 break;

regards,
dan carpenter