tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

staging/rtl8192e: Remove all strcpy() uses

strcpy() performs no bounds checking on the destination buffer. This
could result in linear overflows beyond the end of the buffer, leading
to all kinds of misbehaviors. The safe replacement is strscpy().

It is also dangerous a strcpy() followed by a strcat(). In this case,
refactor the code using scnprintf() and avoid this combination.

Signed-off-by: Len Baker <len.baker@gmx.com>
Link: https://lore.kernel.org/r/20210723173216.12157-1-len.baker@gmx.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Len Baker and committed by
Greg Kroah-Hartman cf79ee6e 36174650

+9 -12
+1 -1
drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c
··· 2167 2167 { 2168 2168 struct r8192_priv *priv = rtllib_priv(dev); 2169 2169 2170 - strcpy(priv->nick, "rtl8192E"); 2170 + strscpy(priv->nick, "rtl8192E", sizeof(priv->nick)); 2171 2171 2172 2172 priv->rtllib->softmac_features = IEEE_SOFTMAC_SCAN | 2173 2173 IEEE_SOFTMAC_ASSOCIATE | IEEE_SOFTMAC_PROBERQ |
+2 -1
drivers/staging/rtl8192e/rtllib_softmac.c
··· 2582 2582 mutex_lock(&ieee->wx_mutex); 2583 2583 2584 2584 if (ieee->current_network.ssid_len == 0) { 2585 - strcpy(ieee->current_network.ssid, RTLLIB_DEFAULT_TX_ESSID); 2585 + strscpy(ieee->current_network.ssid, RTLLIB_DEFAULT_TX_ESSID, 2586 + sizeof(ieee->current_network.ssid)); 2586 2587 ieee->current_network.ssid_len = strlen(RTLLIB_DEFAULT_TX_ESSID); 2587 2588 ieee->ssid_set = 1; 2588 2589 }
+6 -10
drivers/staging/rtl8192e/rtllib_softmac_wx.c
··· 539 539 } 540 540 EXPORT_SYMBOL(rtllib_wx_set_rawtx); 541 541 542 - int rtllib_wx_get_name(struct rtllib_device *ieee, 543 - struct iw_request_info *info, 544 - union iwreq_data *wrqu, char *extra) 542 + int rtllib_wx_get_name(struct rtllib_device *ieee, struct iw_request_info *info, 543 + union iwreq_data *wrqu, char *extra) 545 544 { 546 - strcpy(wrqu->name, "802.11"); 545 + const char *b = ieee->modulation & RTLLIB_CCK_MODULATION ? "b" : ""; 546 + const char *g = ieee->modulation & RTLLIB_OFDM_MODULATION ? "g" : ""; 547 + const char *n = ieee->mode & (IEEE_N_24G | IEEE_N_5G) ? "n" : ""; 547 548 548 - if (ieee->modulation & RTLLIB_CCK_MODULATION) 549 - strcat(wrqu->name, "b"); 550 - if (ieee->modulation & RTLLIB_OFDM_MODULATION) 551 - strcat(wrqu->name, "g"); 552 - if (ieee->mode & (IEEE_N_24G | IEEE_N_5G)) 553 - strcat(wrqu->name, "n"); 549 + scnprintf(wrqu->name, sizeof(wrqu->name), "802.11%s%s%s", b, g, n); 554 550 return 0; 555 551 } 556 552 EXPORT_SYMBOL(rtllib_wx_get_name);