* Re: [PATCH v2] mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() [not found] <CAGftXBHnkYt2KR=kqJfDhEqEuW52ckbepCmTnQQcDyDcVG0WZg@mail.gmail.com> @ 2019-11-29 8:34 ` Greg KH 2019-11-29 8:39 ` Kalle Valo 0 siblings, 1 reply; 2+ messages in thread From: Greg KH @ 2019-11-29 8:34 UTC (permalink / raw) To: qize wang Cc: linux-wireless, amitkarwar, nishants, gbhat, huxinming820, kvalo, security, linux-distros, dan.carpenter, Solar Designer Some minor problems with your patch: On Fri, Nov 29, 2019 at 04:18:21PM +0800, qize wang wrote: > mwifiex_process_tdls_action_frame() without checking > the incoming tdls infomation element's vality before use it, > this may cause multi heap buffer overflows. > > Fix them by putting vality check before use it. > > IE is TLV struct, but ht_cap and ht_oper aren’t TLV struct. > the origin marvell driver code is wrong: > > memcpy(&sta_ptr->tdls_cap.ht_oper, pos,.... > memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,... > > Fix the bug by changing pos(the address of IE) to > pos+2 ( the address of IE’s value ). > > Signed-off-by: wangqize <540263207@qq.com> This has to match the name on the From: line. > --- > v2: change commit log > drivers/net/wireless/marvell/mwifiex/tdls.c | 70 > ++++++++++++++++++++++++++--- > 1 file changed, 64 insertions(+), 6 deletions(-) > > diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c > b/drivers/net/wireless/marvell/mwifiex/tdls.c > index 09313047beed..7caf1d26124a 100644 > --- a/drivers/net/wireless/marvell/mwifiex/tdls.c > +++ b/drivers/net/wireless/marvell/mwifiex/tdls.c > @@ -953,59 +953,117 @@ void mwifiex_process_tdls_action_frame(struct > mwifiex_private *priv, > > switch (*pos) { > case WLAN_EID_SUPP_RATES: > + if (pos[1] > 32) > + return; All of your whitespace is totally damaged here, making this patch impossible to apply :( Please fix up your email client to not do that (you can just use 'git send-email' directly) and resend a v3. thanks, greg k-h ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH v2] mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() 2019-11-29 8:34 ` [PATCH v2] mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() Greg KH @ 2019-11-29 8:39 ` Kalle Valo 0 siblings, 0 replies; 2+ messages in thread From: Kalle Valo @ 2019-11-29 8:39 UTC (permalink / raw) To: Greg KH Cc: qize wang, linux-wireless, amitkarwar, nishants, gbhat, huxinming820, dan.carpenter, Solar Designer (dropping security lists) Greg KH <gregkh@linuxfoundation.org> writes: > Some minor problems with your patch: > > On Fri, Nov 29, 2019 at 04:18:21PM +0800, qize wang wrote: >> mwifiex_process_tdls_action_frame() without checking >> the incoming tdls infomation element's vality before use it, >> this may cause multi heap buffer overflows. >> >> Fix them by putting vality check before use it. >> >> IE is TLV struct, but ht_cap and ht_oper aren’t TLV struct. >> the origin marvell driver code is wrong: >> >> memcpy(&sta_ptr->tdls_cap.ht_oper, pos,.... >> memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,... >> >> Fix the bug by changing pos(the address of IE) to >> pos+2 ( the address of IE’s value ). >> >> Signed-off-by: wangqize <540263207@qq.com> > > This has to match the name on the From: line. > >> --- >> v2: change commit log >> drivers/net/wireless/marvell/mwifiex/tdls.c | 70 >> ++++++++++++++++++++++++++--- >> 1 file changed, 64 insertions(+), 6 deletions(-) >> >> diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c >> b/drivers/net/wireless/marvell/mwifiex/tdls.c >> index 09313047beed..7caf1d26124a 100644 >> --- a/drivers/net/wireless/marvell/mwifiex/tdls.c >> +++ b/drivers/net/wireless/marvell/mwifiex/tdls.c >> @@ -953,59 +953,117 @@ void mwifiex_process_tdls_action_frame(struct >> mwifiex_private *priv, >> >> switch (*pos) { >> case WLAN_EID_SUPP_RATES: >> + if (pos[1] > 32) >> + return; > > All of your whitespace is totally damaged here, making this patch > impossible to apply :( And even worse, it was using HTML :) > Please fix up your email client to not do that (you can just use 'git > send-email' directly) and resend a v3. Yes, please. And even better if you try sending the patch to yourself and then applying with git-am. That way you should notice any problems with the mail settings. More info in the link below, read it very carefully. -- https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-11-29 8:39 UTC | newest] Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <CAGftXBHnkYt2KR=kqJfDhEqEuW52ckbepCmTnQQcDyDcVG0WZg@mail.gmail.com> 2019-11-29 8:34 ` [PATCH v2] mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() Greg KH 2019-11-29 8:39 ` Kalle Valo
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).