Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1247911ybl; Tue, 3 Dec 2019 04:14:45 -0800 (PST) X-Google-Smtp-Source: APXvYqwHWLEcxzzJcqcf9OzmPrEoFnJ4eWrCY5tDR6di959uiWN0fGSzDuZMI2wW7JA8rqJFwpxx X-Received: by 2002:aca:4587:: with SMTP id s129mr3132708oia.124.1575375285490; Tue, 03 Dec 2019 04:14:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575375285; cv=none; d=google.com; s=arc-20160816; b=kOt3g1bvaX3+KzzMIp1qcLHvPxW1Nge3tyFk5cys6hpwgXmD62nMX2wBGQH7pviukO xhZDRADMwepKWTxlZZ2t0E4EloT9K+IiJGmey1OX6qfxo9IwyliFhoDOsGXVxqlbiQ1+ rWs1Jekk0D6XNygZwp3V+oHqq5an6GWZbE0lZLvJN3luIukaXSgXS+pl4tjNr22nM1xj Pri6tAh1qt8FkNBdvQt6zM3IeszIGg0doER8in9d4/1p4og8T+ilE+U3GWPWzDhhjC6X VbwHQHWKw8Yqyu5t9XrbErn/Fe3TnXs/yvxftQbFdjaLB2lcYOVMfjkIfZaURY+kFSKz 5ptA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=EYOPuf7xvIS+4duuNHYF9d4g3puRuvE7RB4e+PKt1OI=; b=SHiN17HHsHrsyvWX4cOvNhBPGMKtZ2DvUWKxMVy8D393KfFjW+JOZ8AyYddW/AWg71 Pzv9SefEO4VhzfsPOk4vVSintHpPNaK3/APZueCJHha0aveaIKRO6sRgbC64Y6KFI+qm 37AAjt1M7XVRGwO/pZGILFPuWt2+C5ghMSZ4d7mnN0U9DCtfYXURloa21zjaZeFS02Kk 39YRXmR57GAAqP3dtv7hlVtlOhy8S4ncK5TgOXYO46WSdKfQxc9XAh1RkmiKXD5V1blu dHg8vk5zEyzWiFoTB4SxaKbjpWtrRE4qgwqYB6E159JGRKYVTxOKDFXN0gMhH1osjQKy 1PBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kroah.com header.s=fm2 header.b=bnADDfDs; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=ZjII+Olw; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c12si1190034otn.7.2019.12.03.04.14.21; Tue, 03 Dec 2019 04:14:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kroah.com header.s=fm2 header.b=bnADDfDs; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=ZjII+Olw; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725997AbfLCMOP (ORCPT + 99 others); Tue, 3 Dec 2019 07:14:15 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:52975 "EHLO out2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725773AbfLCMOO (ORCPT ); Tue, 3 Dec 2019 07:14:14 -0500 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 2111322484; Tue, 3 Dec 2019 07:14:14 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Tue, 03 Dec 2019 07:14:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kroah.com; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=fm2; bh=E YOPuf7xvIS+4duuNHYF9d4g3puRuvE7RB4e+PKt1OI=; b=bnADDfDsYpLDkLdIt 2WrZvLUfk5dC1RrLBKLHG+/24HRrlVc1m0hlsdZOjzvTPqud5eXnGZn+idYBugCT tvI622WGqYULnK/rDxFlSOOd4noe+UM8J6Yx1U10krxeqK69HmzKfsotz6U13P/d lX6XH2dntKGKutt+NwdBpHDOzKW+WZXtA/lDKDxBUykGyFjF2opEmsvh/hmoXVth YhRMqLGkYLLwrhQnkTxiBO+f7BBviC+9yNIQQq8nh5ILxZlkSRmMaHCbWfxi+kgn EmsJTglYpHKN+4wwK/VWOhjOQNM3+mdxKn50/mGwWXsfRG/0MzjITHYi/2fl0qEI dIJVA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=EYOPuf7xvIS+4duuNHYF9d4g3puRuvE7RB4e+PKt1 OI=; b=ZjII+OlwM+CbXItLVpgRjwD/w4IPrPV1Z+H3I8T7eX35lTJgIuwfWcV9c Qmr16PczDS1DGF6q6S4BD2beOlbTa94kFwosJ9e2amjI5kNV703ebhId0UNlDftJ nwQIF5LzKbaQOpvdlwVDW7Zq6nAan0lMKe4ut2mGpij0z0jedn3io0GIYq8PfPxz H4KP9iKNNnVmhQjJVDq6TAv9DfDPTVm0qv/TufbbHBZmZwE3m2dvJJ33+wP+/+1y J/h3Q02J6DOvmAzN7CtjjeSWHXZO8ENcy+a3hh8GXCUlVMdGDinLKvJBHlxCKS8+ eI5u7s9GutZXwMssVfcBV7aTZMU7g== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudejjedgfeelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtugfgjggfsehtkeertddtreejnecuhfhrohhmpefirhgv ghcumffjuceoghhrvghgsehkrhhorghhrdgtohhmqeenucfkphepkeefrdekiedrkeelrd dutdejnecurfgrrhgrmhepmhgrihhlfhhrohhmpehgrhgvgheskhhrohgrhhdrtghomhen ucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) by mail.messagingengine.com (Postfix) with ESMTPA id 59FA83060158; Tue, 3 Dec 2019 07:14:13 -0500 (EST) Date: Tue, 3 Dec 2019 13:14:06 +0100 From: Greg KH To: Brian Norris Cc: qize wang , linux-wireless , amit karwar , Nishant Sarmukadam , Ganapathi Bhat , Xinming Hu , Kalle Valo , Dan Carpenter , Solar Designer Subject: Re: [PATCH v3] mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() Message-ID: <20191203121406.GA2127957@kroah.com> References: <20191129101054.2756-1-wangqize888888888@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.12.2 (2019-09-21) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Mon, Dec 02, 2019 at 03:16:35PM -0800, Brian Norris wrote: > A bit late, but a few readability and maintainability thoughts: > > On Fri, Nov 29, 2019 at 2:12 AM qize wang wrote: > > > > mwifiex_process_tdls_action_frame() without checking > > the incoming tdls infomation element's vality before use it, > > this may cause multi heap buffer overflows. > > > > Fix them by putting vality check before use it. > > > > IE is TLV struct, but ht_cap and ht_oper aren’t TLV struct. > > the origin marvell driver code is wrong: > > > > memcpy(&sta_ptr->tdls_cap.ht_oper, pos,.... > > memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,... > > > > Fix the bug by changing pos(the address of IE) to > > pos+2 ( the address of IE value ). > > > > v3: change commit log > > > > Would have been great to have a > > Cc: > > tag here. I'm not sure if "just have GregKH on CC" is the right process... Not at all :)