This code has a check to prevent read overflow but it needs another
check to prevent writing beyond the end of the ->Ssid[] array.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
---
 drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index 902ac8169948..083ff72976cf 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -1351,9 +1351,11 @@ static int rtw_wx_set_scan(struct net_device *dev, struct iw_request_info *a,
 
 					sec_len = *(pos++); len -= 1;
 
-					if (sec_len > 0 && sec_len <= len) {
+					if (sec_len > 0 &&
+					    sec_len <= len &&
+					    sec_len <= 32) {
 						ssid[ssid_index].SsidLength = sec_len;
-						memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength);
+						memcpy(ssid[ssid_index].Ssid, pos, sec_len);
 						/* DBG_871X("%s COMBO_SCAN with specific ssid:%s, %d\n", __func__ */
 						/* 	, ssid[ssid_index].Ssid, ssid[ssid_index].SsidLength); */
 						ssid_index++;
-- 
2.35.3

On Fri, May 20, 2022 at 07:57:30AM +0400, Denis Efremov (Oracle) wrote:
> This code has a check to prevent read overflow but it needs another
> check to prevent writing beyond the end of the ->Ssid[] array.
> 
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable <stable@vger.kernel.org>
> Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
> ---
>  drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)

And only 5.10 needs this?  What about all other kernel branches?

thanks,

greg k-h

Hi,

On 5/23/22 19:26, Greg KH wrote:
> On Fri, May 20, 2022 at 07:57:30AM +0400, Denis Efremov (Oracle) wrote:
>> This code has a check to prevent read overflow but it needs another
>> check to prevent writing beyond the end of the ->Ssid[] array.
>>
>> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
>> Cc: stable <stable@vger.kernel.org>
>> Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
>> ---
>>  drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++--
>>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> And only 5.10 needs this?  What about all other kernel branches?
> 

From 5.10, 5.4, 4.19, to 4.14.

There is a small spaces conflict in 5.4-4.14 kernels because of
c77761d660a6 staging: rtl8723bs: Fix spacing issues

I sent another patch to handle it.

Thanks,
Denis

On Mon, May 23, 2022 at 09:41:09PM +0400, Denis Efremov wrote:
> Hi,
> 
> On 5/23/22 19:26, Greg KH wrote:
> > On Fri, May 20, 2022 at 07:57:30AM +0400, Denis Efremov (Oracle) wrote:
> >> This code has a check to prevent read overflow but it needs another
> >> check to prevent writing beyond the end of the ->Ssid[] array.
> >>
> >> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> >> Cc: stable <stable@vger.kernel.org>
> >> Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
> >> ---
> >>  drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 6 ++++--
> >>  1 file changed, 4 insertions(+), 2 deletions(-)
> > 
> > And only 5.10 needs this?  What about all other kernel branches?
> > 
> 
> >From 5.10, 5.4, 4.19, to 4.14.
> 
> There is a small spaces conflict in 5.4-4.14 kernels because of
> c77761d660a6 staging: rtl8723bs: Fix spacing issues
> 
> I sent another patch to handle it.

Thanks, all now queued up.

greg k-h