Re: [PATCH] staging: rtl8723bs: prevent ->ssid overflow in rtw_wx_set_scan()
From: Fabio Aiuto <hidden>
Date: 2021-08-26 17:20:04
Also in:
lkml
Hello Welong, On Thu, Aug 26, 2021 at 11:46:22PM +0800, Wenlong Zhang wrote:
quoted hunk ↗ jump to hunk
Commit 74b6b20df8cf ("staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()") fixed up the staging driver rtl8188eu by adding another check to prevent writing beyond the end of the ->ssid[] array. Resolve this by properly fixing up the rtl8723bs driver's version of rtw_wx_set_scan() Reported-by: Wenlong Zhang(iLifetruth) <redacted> Fixes: 74b6b20df8cf ("staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()") Signed-off-by: Wenlong Zhang <redacted> --- drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c index 902ac8169948..6fc1020cea11 100644 --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c@@ -1351,9 +1351,9 @@ static int rtw_wx_set_scan(struct net_device *dev, struct iw_request_info *a, sec_len = *(pos++); len -= 1; - if (sec_len > 0 && sec_len <= len) { + if (sec_len > 0 && sec_len <= len && sec_len <= 32) { ssid[ssid_index].SsidLength = sec_len; - memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength); + memcpy(ssid[ssid_index].Ssid, pos, sec_len); /* DBG_871X("%s COMBO_SCAN with specific ssid:%s, %d\n", __func__ */ /* , ssid[ssid_index].Ssid, ssid[ssid_index].SsidLength); */ ssid_index++;-- 2.15.0
today the patch which removes wext handlers has been accepted in staging-testing so maybe rtw_wx_set_scan is going to disappear. thank you, fabio