linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Arend van Spriel <arend.vanspriel@broadcom.com>
To: sedat.dilek@gmail.com
Cc: Kalle Valo <kvalo@codeaurora.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	linux-wireless@vger.kernel.org
Subject: Re: [PATCH] brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
Date: Fri, 7 Jul 2017 21:39:03 +0200	[thread overview]
Message-ID: <069e03ba-9d83-cde9-5ff1-49f847ccb887@broadcom.com> (raw)
In-Reply-To: <CA+icZUXVEBQzau4d36iO1vvhioX_WM8AH-iw=Tv+vUcVBtUeWw@mail.gmail.com>

On 07-07-17 14:47, Sedat Dilek wrote:
> On Fri, Jul 7, 2017 at 2:01 PM, Arend van Spriel
> <arend.vanspriel@broadcom.com> wrote:
>> The lower level nl80211 code in cfg80211 ensures that "len" is between
>> 25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
>> "len" so thats's max of 2280.  However, the action_frame->data[] buffer is
>> only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
>> overflow.
>>
>>         memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
>>                le16_to_cpu(action_frame->len));
>>
>> Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
>> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
>> ---
>> Hi Kalle,
>>
>> Here is the patch as Linus send it to us and security@kernel.org. I
>> removed the lower bound check as that is already done in cfg80211.
>> Now I signed off on the patch although formally I suppose Linus should
>> sign it off. Putting it out there so people can respond as deemed
>> necessary.
>>
>> Now fingers crossed whether patchwork will properly deal with the UTF-8
>> characters :-p
>>
> 
> Somehow horrific to see - less in usage (no CC here).

Sorry, Sedat

What is horrific? It is a bit cryptic (for me) what you would like me to
do now if anything.

Regards,
Arend

> - Sedat -
> 
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=security%40kernel.org
> 

  reply	other threads:[~2017-07-07 19:39 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-07 12:01 [PATCH] brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() Arend van Spriel
2017-07-07 12:47 ` Sedat Dilek
2017-07-07 19:39   ` Arend van Spriel [this message]
2017-07-12  9:59     ` Sedat Dilek
2017-07-07 13:17 ` Johannes Berg
2017-07-07 16:37   ` Linus Torvalds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=069e03ba-9d83-cde9-5ff1-49f847ccb887@broadcom.com \
    --to=arend.vanspriel@broadcom.com \
    --cc=kvalo@codeaurora.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=sedat.dilek@gmail.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).