From: Takashi Iwai <tiwai@suse.de>
To: linux-wireless@vger.kernel.org
Cc: Amitkumar Karwar <amitkarwar@gmail.com>,
Nishant Sarmukadam <nishants@marvell.com>,
Ganapathi Bhat <gbhat@marvell.com>,
Xinming Hu <huxinming820@gmail.com>,
Kalle Valo <kvalo@codeaurora.org>,
huangwen@venustech.com.cn, Solar Designer <solar@openwall.com>,
Marcus Meissner <meissner@suse.de>
Subject: [PATCH 1/2] mwifiex: Fix possible buffer overflows at parsing bss descriptor
Date: Wed, 29 May 2019 14:52:19 +0200 [thread overview]
Message-ID: <20190529125220.17066-2-tiwai@suse.de> (raw)
In-Reply-To: <20190529125220.17066-1-tiwai@suse.de>
mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
a couple places without checking the destination size. Since the
source is given from user-space, this may trigger a heap buffer
overflow.
Fix it by putting the length check before performing memcpy().
This fix addresses CVE-2019-3846.
Reported-by: huangwen <huangwen@venustech.com.cn>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
drivers/net/wireless/marvell/mwifiex/scan.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
index 935778ec9a1b..64ab6fe78c0d 100644
--- a/drivers/net/wireless/marvell/mwifiex/scan.c
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
@@ -1247,6 +1247,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
}
switch (element_id) {
case WLAN_EID_SSID:
+ if (element_len > IEEE80211_MAX_SSID_LEN)
+ return -EINVAL;
bss_entry->ssid.ssid_len = element_len;
memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
element_len);
@@ -1256,6 +1258,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
break;
case WLAN_EID_SUPP_RATES:
+ if (element_len > MWIFIEX_SUPPORTED_RATES)
+ return -EINVAL;
memcpy(bss_entry->data_rates, current_ptr + 2,
element_len);
memcpy(bss_entry->supported_rates, current_ptr + 2,
--
2.16.4
next prev parent reply other threads:[~2019-05-29 12:52 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-29 12:52 [PATCH 0/2] Buffer overflow / read checks in mwifiex Takashi Iwai
2019-05-29 12:52 ` Takashi Iwai [this message]
2019-05-30 11:22 ` [PATCH 1/2] mwifiex: Fix possible buffer overflows at parsing bss descriptor Kalle Valo
2019-05-29 12:52 ` [PATCH 2/2] mwifiex: Abort at too short BSS descriptor element Takashi Iwai
2019-06-13 17:49 ` Brian Norris
2019-06-13 18:12 ` Takashi Iwai
2019-06-13 18:38 ` Brian Norris
2019-06-13 20:26 ` Brian Norris
2019-06-15 0:19 ` Brian Norris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190529125220.17066-2-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=amitkarwar@gmail.com \
--cc=gbhat@marvell.com \
--cc=huangwen@venustech.com.cn \
--cc=huxinming820@gmail.com \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
--cc=meissner@suse.de \
--cc=nishants@marvell.com \
--cc=solar@openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).