From patchwork Tue Feb 26 10:04:51 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 2184871 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork1.kernel.org (Postfix) with ESMTP id 2DA4B3FD4E for ; Tue, 26 Feb 2013 10:06:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760041Ab3BZKGL (ORCPT ); Tue, 26 Feb 2013 05:06:11 -0500 Received: from userp1040.oracle.com ([156.151.31.81]:22662 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759926Ab3BZKGK (ORCPT ); Tue, 26 Feb 2013 05:06:10 -0500 Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r1QA5wbP013889 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 26 Feb 2013 10:05:59 GMT Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r1QA5vV9006135 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 26 Feb 2013 10:05:58 GMT Received: from abhmt112.oracle.com (abhmt112.oracle.com [141.146.116.64]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id r1QA5vYq021009; Tue, 26 Feb 2013 04:05:57 -0600 Received: from longonot.mountain (/41.202.233.179) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 26 Feb 2013 02:05:56 -0800 Date: Tue, 26 Feb 2013 13:04:51 +0300 From: Dan Carpenter To: "John W. Linville" Cc: linux-wireless@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] ray_cs: read past the end of the array Message-ID: <20130226100451.GA12364@longonot.mountain> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org "translate" should either be set or disabled. We also use it an offset into the framing[] array when we're generating the proc file. Framing looks like this: static const char *framing[] = { "Encapsulation", "Translation" } So when we're setting translate we need to restrict the values to either 1 or 0 or it can an out of bounds read. Signed-off-by: Dan Carpenter --- Compile tested only. This function currently doesn't have permission checks but maybe it should. There are a couple other overflow warnings in this file that look valid, but I don't know what was intended. drivers/net/wireless/ray_cs.c:602 init_startup_params() error: memcpy() 'b4_default_startup_parms' too small (85 vs 93) drivers/net/wireless/ray_cs.c:965 translate_frame() warn: buffer overflow '(ptx->var)->org' 3 <= 3 -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c index e7cf37f..6ee5055 100644 --- a/drivers/net/wireless/ray_cs.c +++ b/drivers/net/wireless/ray_cs.c @@ -144,7 +144,7 @@ static int psm; static char *essid; /* Default to encapsulation unless translation requested */ -static int translate = 1; +static bool translate = 1; static int country = USA; @@ -178,7 +178,7 @@ module_param(hop_dwell, int, 0); module_param(beacon_period, int, 0); module_param(psm, int, 0); module_param(essid, charp, 0); -module_param(translate, int, 0); +module_param(translate, bool, 0); module_param(country, int, 0); module_param(sniffer, int, 0); module_param(bc, int, 0); @@ -1353,7 +1353,7 @@ static int ray_get_range(struct net_device *dev, struct iw_request_info *info, static int ray_set_framing(struct net_device *dev, struct iw_request_info *info, union iwreq_data *wrqu, char *extra) { - translate = *(extra); /* Set framing mode */ + translate = !!*(extra); /* Set framing mode */ return 0; }