Re: staging: possible buffer overflow in rtw_wx_set_scan function in driver/staging/rtl8723bs
From: iLifetruth <hidden>
Date: 2021-08-24 08:48:07
Also in:
lkml
On Tue, Aug 24, 2021 at 3:46 PM Fabio Aiuto [off-list ref] wrote:
Hello, [sorry for resend, I updated the CC field] On Tue, Aug 24, 2021 at 03:04:04PM +0800, iLifetruth wrote:quoted
Here are the fixes and the contents of the patch file we suggest. [PATCH]staging: rtl8723bs: prevent ->ssid overflow in rtw_wx_set_scan() This fixing patch is ported from the upstream commit 74b6b20df8cf(staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()) which fixes on another driver numbered rtl8188eu. This code has a check to prevent read overflow but it needs another check to prevent writing beyond the end of the ->ssid[] array in driver rtl8723bs. --- drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.cb/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c index f95000df8942..3b859b71bf43 100644--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c@@ -1222,9 +1222,9 @@ static int rtw_wx_set_scan(struct net_device*dev, struct iw_request_info *a, sec_len = *(pos++); len -= 1; - if (sec_len > 0 && sec_len <= len) { + if (sec_len > 0 && sec_len <= len && sec_len<= 32) { ssid[ssid_index].SsidLength = sec_len; - memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength); + memcpy(ssid[ssid_index].Ssid, pos, sec_len); ssid_index++; } -- Thanks for your confirmation, - iLifetruththe patch looks fine. Just some points: - If the patch related to wext support removal will be accepted, the patch isn't necessary. So I will wait until I know the community-maintainer decision.
OK, I see the situation now, and I will submit a relevant patch to the Linux-staging tree at a suitable time.