From: Larry Finger Date: Sat, 8 Oct 2011 19:01:06 +0000 (-0500) Subject: staging: r8712u: Fix possible out-of-bounds index with TKIP and AES keys X-Git-Tag: firefly_0821_release~3680^2~4313^2^2~124 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=447ff8865209e48e231de804c47eb4677f2318be;p=firefly-linux-kernel-4.4.55.git staging: r8712u: Fix possible out-of-bounds index with TKIP and AES keys Array XGrpKey has only 2 elements and uses (keyid - 1) as the index, which allows the possibility of memory corruption from an out-of-bounds index. This problem was reported by a new version of smatch. Reported-by: Dan Carpenter Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c b/drivers/staging/rtl8712/rtl871x_mlme.c index c475b961308e..ef8eb6c7ee41 100644 --- a/drivers/staging/rtl8712/rtl871x_mlme.c +++ b/drivers/staging/rtl8712/rtl871x_mlme.c @@ -1281,12 +1281,16 @@ sint r8712_set_key(struct _adapter *adapter, psecuritypriv->DefKey[keyid].skey, keylen); break; case _TKIP_: + if (keyid < 1 || keyid > 2) + return _FAIL; keylen = 16; memcpy(psetkeyparm->key, &psecuritypriv->XGrpKey[keyid - 1], keylen); psetkeyparm->grpkey = 1; break; case _AES_: + if (keyid < 1 || keyid > 2) + return _FAIL; keylen = 16; memcpy(psetkeyparm->key, &psecuritypriv->XGrpKey[keyid - 1], keylen);