* [PATCH 1/1] mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start
@ 2020-12-06 8:48 Xiaohui Zhang
2020-12-08 7:33 ` Kalle Valo
0 siblings, 1 reply; 2+ messages in thread
From: Xiaohui Zhang @ 2020-12-06 8:48 UTC (permalink / raw)
To: Xiaohui Zhang, Amitkumar Karwar, Ganapathi Bhat, Xinming Hu,
Kalle Valo, davem, Jakub Kicinski, linux-wireless, netdev,
linux-kernel
From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().
Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
---
drivers/net/wireless/marvell/mwifiex/join.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/join.c b/drivers/net/wireless/marvell/mwifiex/join.c
index 5934f7147..173ccf79c 100644
--- a/drivers/net/wireless/marvell/mwifiex/join.c
+++ b/drivers/net/wireless/marvell/mwifiex/join.c
@@ -877,6 +877,8 @@ mwifiex_cmd_802_11_ad_hoc_start(struct mwifiex_private *priv,
memset(adhoc_start->ssid, 0, IEEE80211_MAX_SSID_LEN);
+ if (req_ssid->ssid_len > IEEE80211_MAX_SSID_LEN)
+ req_ssid->ssid_len = IEEE80211_MAX_SSID_LEN;
memcpy(adhoc_start->ssid, req_ssid->ssid, req_ssid->ssid_len);
mwifiex_dbg(adapter, INFO, "info: ADHOC_S_CMD: SSID = %s\n",
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH 1/1] mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start
2020-12-06 8:48 [PATCH 1/1] mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start Xiaohui Zhang
@ 2020-12-08 7:33 ` Kalle Valo
0 siblings, 0 replies; 2+ messages in thread
From: Kalle Valo @ 2020-12-08 7:33 UTC (permalink / raw)
To: Xiaohui Zhang
Cc: Xiaohui Zhang, Amitkumar Karwar, Ganapathi Bhat, Xinming Hu,
davem, Jakub Kicinski, linux-wireless, netdev, linux-kernel
Xiaohui Zhang <ruc_zhangxiaohui@163.com> wrote:
> From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
>
> mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking
> the destination size may trigger a buffer overflower,
> which a local user could use to cause denial of service
> or the execution of arbitrary code.
> Fix it by putting the length check before calling memcpy().
>
> Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
Patch applied to wireless-drivers-next.git, thanks.
5c455c5ab332 mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start
--
https://patchwork.kernel.org/project/linux-wireless/patch/20201206084801.26479-1-ruc_zhangxiaohui@163.com/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-12-08 7:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-06 8:48 [PATCH 1/1] mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start Xiaohui Zhang
2020-12-08 7:33 ` Kalle Valo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).