linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Arend van Spriel <arend.vanspriel@broadcom.com>
To: Maya Erez <qca_merez@qca.qualcomm.com>,
	Kalle Valo <kvalo@codeaurora.org>
Cc: Hamad Kadmany <QCA_hkadmany@QCA.qualcomm.com>,
	linux-wireless@vger.kernel.org, wil6210@qca.qualcomm.com,
	Lior David <qca_liord@qca.qualcomm.com>
Subject: Re: [PATCH v4 01/10] wil6210: protect against invalid length of tx management frame
Date: Wed, 9 Aug 2017 10:02:29 +0200	[thread overview]
Message-ID: <598AC195.3000205@broadcom.com> (raw)
In-Reply-To: <1501787302-22885-2-git-send-email-qca_merez@qca.qualcomm.com>

On 8/3/2017 9:08 PM, Maya Erez wrote:
> From: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
>
> Validate buffer length has the minimum needed size
> when sending management frame to protect against
> possible buffer overrun.

I noticed this is already applied, but I saw this subject text which has 
similar sound to a recent patch in our driver so I it made me curious...

> Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
> Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
> ---
>   drivers/net/wireless/ath/wil6210/cfg80211.c | 3 +++
>   drivers/net/wireless/ath/wil6210/debugfs.c  | 3 +++
>   2 files changed, 6 insertions(+)
>
> diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
> index 0b5383a..77af749 100644
> --- a/drivers/net/wireless/ath/wil6210/cfg80211.c
> +++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
> @@ -884,6 +884,9 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
>   	wil_hex_dump_misc("mgmt tx frame ", DUMP_PREFIX_OFFSET, 16, 1, buf,
>   			  len, true);
>
> +	if (len < sizeof(struct ieee80211_hdr_3addr))
> +		return -EINVAL;

A similar check is already in net/wireless/cfg80211_mlme_mgmt_tx() which 
calls this function:

	if (params->len < 24 + 1)
		return -EINVAL;

So it only makes sense if this is called from some other call site....

>   	cmd = kmalloc(sizeof(*cmd) + len, GFP_KERNEL);
>   	if (!cmd) {
>   		rc = -ENOMEM;
> diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c
> index f82506d..a2b5d59 100644
> --- a/drivers/net/wireless/ath/wil6210/debugfs.c
> +++ b/drivers/net/wireless/ath/wil6210/debugfs.c
> @@ -801,6 +801,9 @@ static ssize_t wil_write_file_txmgmt(struct file *file, const char __user *buf,
>   	int rc;
>   	void *frame;
>
> +	if (!len)
> +		return -EINVAL;
> +

... which is in this function. Now I wonder why you would need this 
method in the first place. Why not stick with using the nl80211 
NL80211_CMD_FRAME api?

Regards,
Arend

>   	frame = memdup_user(buf, len);
>   	if (IS_ERR(frame))
>   		return PTR_ERR(frame);
>

  parent reply	other threads:[~2017-08-09  8:02 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-03 19:08 [PATCH v4 00/10] wil6210 patches Maya Erez
2017-08-03 19:08 ` [PATCH v4 01/10] wil6210: protect against invalid length of tx management frame Maya Erez
2017-08-08 18:44   ` [v4, " Kalle Valo
2017-08-09  8:02   ` Arend van Spriel [this message]
2017-08-09 12:01     ` [PATCH v4 " Lior David
2017-08-03 19:08 ` [PATCH v4 02/10] wil6210: allow configuring scan timers Maya Erez
2017-08-08 10:53   ` Kalle Valo
2017-08-03 19:08 ` [PATCH v4 03/10] wil6210: support FW RSSI reporting Maya Erez
2017-08-03 19:08 ` [PATCH v4 04/10] wil6210: check no_fw_recovery in resume failure recovery Maya Erez
2017-08-03 19:08 ` [PATCH v4 05/10] wil6210: add statistics for suspend time Maya Erez
2017-08-03 19:08 ` [PATCH v4 06/10] wil6210: notify wiphy on wowlan support Maya Erez
2017-08-03 19:08 ` [PATCH v4 07/10] wil6210: fix interface-up check Maya Erez
2017-08-03 19:08 ` [PATCH v4 08/10] wil6210: store FW RF calibration result Maya Erez
2017-08-03 19:08 ` [PATCH v4 09/10] wil6210: move vring_idle_trsh definition to wil6210_priv Maya Erez
2017-08-03 19:08 ` [PATCH v4 10/10] wil6210: make debugfs compilation optional Maya Erez
2017-08-08 11:03   ` Kalle Valo
2017-08-08 17:32     ` Lior David
2017-08-08 18:43       ` Kalle Valo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=598AC195.3000205@broadcom.com \
    --to=arend.vanspriel@broadcom.com \
    --cc=QCA_hkadmany@QCA.qualcomm.com \
    --cc=kvalo@codeaurora.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=qca_liord@qca.qualcomm.com \
    --cc=qca_merez@qca.qualcomm.com \
    --cc=wil6210@qca.qualcomm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).