From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D008C433B4 for ; Sun, 18 Apr 2021 06:57:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E036A6120C for ; Sun, 18 Apr 2021 06:57:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230036AbhDRGzi (ORCPT ); Sun, 18 Apr 2021 02:55:38 -0400 Received: from so254-9.mailgun.net ([198.61.254.9]:19698 "EHLO so254-9.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229478AbhDRGzi (ORCPT ); Sun, 18 Apr 2021 02:55:38 -0400 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1618728910; h=Content-Type: MIME-Version: Message-ID: In-Reply-To: Date: References: Subject: Cc: To: From: Sender; bh=Utc3RPK8eY1uRcKm9lChhTtO6d9Pq8zc08SGUU+2IoQ=; b=H2oGeeftZPZVufuFFf0frEGlwgu3blQQVkzIeoUQQWCyxhLSHoEGXy7C2wBICmjZJV+Z0cOd DY0F7X/HwUC1VkI9VhY72Q4gFEGm4B/9SQsfPHKdBL76c3ac+5V4F6fAmBNRlTwgRoqAm5L7 aCkf7G6/AYNUVHVSMXLzrj2aW9c= X-Mailgun-Sending-Ip: 198.61.254.9 X-Mailgun-Sid: WyI3YTAwOSIsICJsaW51eC13aXJlbGVzc0B2Z2VyLmtlcm5lbC5vcmciLCAiYmU5ZTRhIl0= Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by smtp-out-n01.prod.us-west-2.postgun.com with SMTP id 607bd7c5f34440a9d43beced (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Sun, 18 Apr 2021 06:55:01 GMT Sender: kvalo=codeaurora.org@mg.codeaurora.org Received: by smtp.codeaurora.org (Postfix, from userid 1001) id 883ACC4323A; Sun, 18 Apr 2021 06:55:01 +0000 (UTC) Received: from potku.adurom.net (88-114-240-156.elisa-laajakaista.fi [88.114.240.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: kvalo) by smtp.codeaurora.org (Postfix) with ESMTPSA id 40CE2C433D3; Sun, 18 Apr 2021 06:54:58 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 40CE2C433D3 Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=kvalo@codeaurora.org From: Kalle Valo To: Lee Gibson Cc: davem@davemloft.net, kuba@kernel.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] wl1251: Fix possible buffer overflow in wl1251_cmd_scan References: <20210317121807.389169-1-leegib@gmail.com> Date: Sun, 18 Apr 2021 09:54:57 +0300 In-Reply-To: <20210317121807.389169-1-leegib@gmail.com> (Lee Gibson's message of "Wed, 17 Mar 2021 12:18:07 +0000") Message-ID: <87wnt0jd4u.fsf@codeaurora.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Lee Gibson writes: > Function wl1251_cmd_scan calls memcpy without checking the length. > A user could control that length and trigger a buffer overflow. > Fix by checking the length is within the maximum allowed size. > > Signed-off-by: Lee Gibson Please fix the commit log, the user cannot control this length as cfg80211 checks it before handling it to wl1251. Unless I'm missing something. > --- > drivers/net/wireless/ti/wl1251/cmd.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c > index 498c8db2eb48..e4d028a53d91 100644 > --- a/drivers/net/wireless/ti/wl1251/cmd.c > +++ b/drivers/net/wireless/ti/wl1251/cmd.c > @@ -455,8 +455,11 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len, > } > > cmd->params.ssid_len = ssid_len; If you are checking the length, you should also check ssid_len here. > - if (ssid) > - memcpy(cmd->params.ssid, ssid, ssid_len); > + if (ssid) { > + int len = min_t(int, ssid_len, IEEE80211_MAX_SSID_LEN); > + > + memcpy(cmd->params.ssid, ssid, len); > + } Please use clamp_val(). Also another (and IMHO better) way to cleanup this is to provide a pointer to struct cfg80211_ssid, which makes it clear that the length can be trusted and not length checking is not needed. So something like this: int wl1251_cmd_scan(struct wl1251 *wl, const struct cfg80211_ssid *ssid, struct ieee80211_channel *channels[], unsigned int n_channels, unsigned int n_probes) -- https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches