From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sat, 30 Jan 2016 14:41:10 +0000 (+0300)
Subject: staging: rtl8712: memory corruption in wpa_set_encryption()
X-Git-Tag: v4.6-rc1~103^2~1047
X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=commitdiff_plain;h=aea48157ce1b1fb527747256baf9ec39d0d121a2;p=linux.git

staging: rtl8712: memory corruption in wpa_set_encryption()

->KeyMaterial is declared as a 16 byte array, but we only ever allocate
either 5 or 13 bytes of it.  The problem is that we memset() all 16
bytes to zero so we're memsetting past the end of the allocated memory.

I fixed this in slightly lazy way, by just allocating 16 bytes.  This
works but there is a lot more cleanup you could do to this code if you
wanted.  Which is why this code is in staging.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
index edfc6805e012..db2e31bcdd77 100644
--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
@@ -398,12 +398,9 @@ static int wpa_set_encryption(struct net_device *dev, struct ieee_param *param,
 			wep_key_idx = 0;
 		if (wep_key_len > 0) {
 			wep_key_len = wep_key_len <= 5 ? 5 : 13;
-			pwep = kmalloc((u32)(wep_key_len +
-				FIELD_OFFSET(struct NDIS_802_11_WEP,
-				KeyMaterial)), GFP_ATOMIC);
+			pwep = kzalloc(sizeof(*pwep), GFP_ATOMIC);
 			if (pwep == NULL)
 				return -ENOMEM;
-			memset(pwep, 0, sizeof(struct NDIS_802_11_WEP));
 			pwep->KeyLength = wep_key_len;
 			pwep->Length = wep_key_len +
 				 FIELD_OFFSET(struct NDIS_802_11_WEP,