diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2016-01-30 17:41:10 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2016-02-07 19:52:30 -0800 |
commit | aea48157ce1b1fb527747256baf9ec39d0d121a2 (patch) | |
tree | 9702f2c6106541f2f6fb95c073b15fff1324790b /drivers/staging/rtl8712 | |
parent | eaf0e7966d485b4524c1fc278922e4197ec273cc (diff) |
staging: rtl8712: memory corruption in wpa_set_encryption()
->KeyMaterial is declared as a 16 byte array, but we only ever allocate
either 5 or 13 bytes of it. The problem is that we memset() all 16
bytes to zero so we're memsetting past the end of the allocated memory.
I fixed this in slightly lazy way, by just allocating 16 bytes. This
works but there is a lot more cleanup you could do to this code if you
wanted. Which is why this code is in staging.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/rtl8712')
-rw-r--r-- | drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c index edfc6805e012..db2e31bcdd77 100644 --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c @@ -398,12 +398,9 @@ static int wpa_set_encryption(struct net_device *dev, struct ieee_param *param, wep_key_idx = 0; if (wep_key_len > 0) { wep_key_len = wep_key_len <= 5 ? 5 : 13; - pwep = kmalloc((u32)(wep_key_len + - FIELD_OFFSET(struct NDIS_802_11_WEP, - KeyMaterial)), GFP_ATOMIC); + pwep = kzalloc(sizeof(*pwep), GFP_ATOMIC); if (pwep == NULL) return -ENOMEM; - memset(pwep, 0, sizeof(struct NDIS_802_11_WEP)); pwep->KeyLength = wep_key_len; pwep->Length = wep_key_len + FIELD_OFFSET(struct NDIS_802_11_WEP, |