Re: out of bounds read in drivers/net/wireless/ray_cs.c

From: Kalle Valo <hidden>
Date: 2018-12-20 13:12:43
Also in: linux-wireless, lkml

Possibly related (same subject, not in this thread)

2018-12-20 · out of bounds read in drivers/net/wireless/ray_cs.c · Colin Ian King <hidden>

Colin Ian King [off-list ref] writes:

Static analysis with CoverityScan picked up an out of bounds read issue
that has been in the Raylink wireless LAN card driver since it appeared
in the kernel:

drivers/net/wireless/ray_cs.c:

accessing org[3] is out of bounds, the array has just 3 elements.

 959                if (proto == htons(ETH_P_AARP) || proto ==
htons(ETH_P_IPX)) {
 960                        /* This is the selective translation table,
only 2 entries */

    CID undefined (#1 of 1): Out-of-bounds read
    overrun-local: Overrunning array of 3 bytes at byte offset 3 by
dereferencing pointer &((struct snaphdr_t *)ptx->var)->org[3].

 961                        writeb(0xf8,
 962                               &((struct snaphdr_t __iomem
*)ptx->var)->org[3]);
 963                }

I suspect the org[3] is a typo and should be org[2], but I don't have
any info on the H/W so I'm speculating that this is the issue. Any ideas
anyone?

I have never heard anyone using this driver so I suspect you won't get
any help with testing. Just send a patch fixing the issue, and if it
breaks something then at least we know someone is using the driver :)

-- 
Kalle Valo

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help