From: Kalle Valo <kvalo@codeaurora.org>
To: Takashi Iwai <tiwai@suse.de>
Cc: Amitkumar Karwar <amitkarwar@gmail.com>,
Nishant Sarmukadam <nishants@marvell.com>,
Ganapathi Bhat <gbhat@marvell.com>,
Xinming Hu <huxinming820@gmail.com>,
huangwen <huangwen@venustech.com.cn>,
Solar Designer <solar@openwall.com>,
Marcus Meissner <meissner@suse.de>,
linux-wireless@vger.kernel.org
Subject: Re: [PATCH] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
Date: Sat, 1 Jun 2019 05:06:46 +0000 (UTC)
Message-ID: <20190601050646.C6CE060C72@smtp.codeaurora.org> (raw)
In-Reply-To: <20190531131841.7552-1-tiwai@suse.de>
Takashi Iwai <tiwai@suse.de> wrote:
> A few places in mwifiex_uap_parse_tail_ies() perform memcpy()
> unconditionally, which may lead to either buffer overflow or read over
> boundary.
>
> This patch addresses the issues by checking the read size and the
> destination size at each place more properly. Along with the fixes,
> the patch cleans up the code slightly by introducing a temporary
> variable for the token size, and unifies the error path with the
> standard goto statement.
>
> Reported-by: huangwen <huangwen@venustech.com.cn>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Patch applied to wireless-drivers.git, thanks.
69ae4f6aac15 mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
--
https://patchwork.kernel.org/patch/10970141/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
prev parent reply index
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-31 13:18 Takashi Iwai
2019-06-01 5:06 ` Kalle Valo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190601050646.C6CE060C72@smtp.codeaurora.org \
--to=kvalo@codeaurora.org \
--cc=amitkarwar@gmail.com \
--cc=gbhat@marvell.com \
--cc=huangwen@venustech.com.cn \
--cc=huxinming820@gmail.com \
--cc=linux-wireless@vger.kernel.org \
--cc=meissner@suse.de \
--cc=nishants@marvell.com \
--cc=solar@openwall.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Linux-Wireless Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/linux-wireless/0 linux-wireless/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 linux-wireless linux-wireless/ https://lore.kernel.org/linux-wireless \
linux-wireless@vger.kernel.org
public-inbox-index linux-wireless
Example config snippet for mirrors
Newsgroup available over NNTP:
nntp://nntp.lore.kernel.org/org.kernel.vger.linux-wireless
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git