Skip to content

Commit

Permalink
staging: r8712u: Fix possible out-of-bounds index with TKIP and AES keys
Browse files Browse the repository at this point in the history 
Array XGrpKey has only 2 elements and uses (keyid - 1) as the index, which
allows the possibility of memory corruption from an out-of-bounds index.

This problem was reported by a new version of smatch.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  • Loading branch information
Larry Finger authored and Greg Kroah-Hartman committed Oct 11, 2011
1 parent 8550be0 commit 447ff88
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions drivers/staging/rtl8712/rtl871x_mlme.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1281,12 +1281,16 @@ sint r8712_set_key(struct _adapter *adapter,
psecuritypriv->DefKey[keyid].skey, keylen);
break;
case _TKIP_:
if (keyid < 1 || keyid > 2)
return _FAIL;
keylen = 16;
memcpy(psetkeyparm->key,
&psecuritypriv->XGrpKey[keyid - 1], keylen);
psetkeyparm->grpkey = 1;
break;
case _AES_:
if (keyid < 1 || keyid > 2)
return _FAIL;
keylen = 16;
memcpy(psetkeyparm->key,
&psecuritypriv->XGrpKey[keyid - 1], keylen);
Expand Down

0 comments on commit 447ff88

Please sign in to comment.