From: Jes Sorensen Date: Tue, 15 Apr 2014 17:44:24 +0000 (+0200) Subject: staging: rtl8723au: Remove buggy function _rtw_report_sec_ie() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=959226ac54b1b4cf9d6d2b496e097a29b4b1d338;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git staging: rtl8723au: Remove buggy function _rtw_report_sec_ie() This function was extremely buggy calling kmalloc(GFP_KERNEL) while holding a spin lock and then potentially overflowing the buffer it had allocated. Since the generated output wasn't used for anything, simply rip the whole thing out. Reported-by: Dan Carpenter Signed-off-by: Jes Sorensen Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/rtl8723au/core/rtw_mlme.c b/drivers/staging/rtl8723au/core/rtw_mlme.c index 24a4338aafe8..3599d0287365 100644 --- a/drivers/staging/rtl8723au/core/rtw_mlme.c +++ b/drivers/staging/rtl8723au/core/rtw_mlme.c @@ -1987,47 +1987,6 @@ static int rtw_append_pmkid(struct rtw_adapter *Adapter, int iEntry, return ie_len; } -static void -_rtw_report_sec_ie(struct rtw_adapter *adapter, u8 authmode, u8 *sec_ie) -{ - uint len; - u8 *buff, *p, i; - union iwreq_data wrqu; - - RT_TRACE(_module_mlme_osdep_c_, _drv_info_, - ("+_rtw_report_sec_ie, authmode =%d\n", authmode)); - - buff = NULL; - if (authmode == WLAN_EID_VENDOR_SPECIFIC) { - RT_TRACE(_module_mlme_osdep_c_, _drv_info_, - ("_rtw_report_sec_ie, authmode =%d\n", authmode)); - - buff = kzalloc(IW_CUSTOM_MAX, GFP_KERNEL); - if (!buff) - return; - p = buff; - - p += sprintf(p, "ASSOCINFO(ReqIEs ="); - - len = sec_ie[1]+2; - len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX; - - for (i = 0; i < len; i++) - p += sprintf(p, "%02x", sec_ie[i]); - - p += sprintf(p, ")"); - - memset(&wrqu, 0, sizeof(wrqu)); - - wrqu.data.length = p-buff; - - wrqu.data.length = (wrqu.data.length < IW_CUSTOM_MAX) ? - wrqu.data.length : IW_CUSTOM_MAX; - - kfree(buff); - } -} - int rtw_restruct_sec_ie23a(struct rtw_adapter *adapter, u8 *in_ie, u8 *out_ie, uint in_len) { @@ -2064,8 +2023,6 @@ int rtw_restruct_sec_ie23a(struct rtw_adapter *adapter, u8 *in_ie, u8 *out_ie, memcpy(&out_ie[ielength], &psecuritypriv->supplicant_ie[0], psecuritypriv->supplicant_ie[1] + 2); ielength += psecuritypriv->supplicant_ie[1] + 2; - _rtw_report_sec_ie(adapter, authmode, - psecuritypriv->supplicant_ie); } iEntry = SecIsInPMKIDList(adapter, pmlmepriv->assoc_bssid);