On 10/26/2015 04:06 PM, Dan Carpenter wrote:
On Sat, Oct 24, 2015 at 08:42:29PM +0700, Ivan Safonov wrote:
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index 98bdc95..735e24b 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -2669,7 +2669,7 @@ static int rtw_get_sta_wpaie(struct net_device *dev,
struct ieee_param *param)
int copy_len;
wpa_ie_len = psta->wpa_ie[1];
- copy_len = ((wpa_ie_len+2) > sizeof(psta->wpa_ie)) ?
(sizeof(psta->wpa_ie)) : (wpa_ie_len+2);
+ copy_len = min(wpa_ie_len + 2,
(int)sizeof(psta->wpa_ie));
param->u.wpa_ie.len = copy_len;
memcpy(param->u.wpa_ie.reserved, psta->wpa_ie,
copy_len);
In the original code if "wpa_ie_len + 2" was negative then copy_len is
sizeof(psta->wpa_ie), but in the new code copy_len is a negative
number and the memcpy() will corrupt memory and crash the system.
regards,
dan carpenter
It is quite unexpected for me.
I proceeded from the assumption that psta->wpa_ie[1] is u8 and
wpa_ie_len (and wpa_ie_len + 2) is always greater than zero and less
then INT_MAX.
Is it better to make wpa_ie_len and copy_len unsigned?
_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
