From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1BEF4C11F72 for ; Tue, 6 Jul 2021 12:02:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 05594620DC for ; Tue, 6 Jul 2021 12:02:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242512AbhGFMCi (ORCPT ); Tue, 6 Jul 2021 08:02:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:47572 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237396AbhGFLgH (ORCPT ); Tue, 6 Jul 2021 07:36:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C2BD561D90; Tue, 6 Jul 2021 11:27:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1625570840; bh=DLMSh4j0AnmTMlzgxM/VboZ7+8wm4ULFHQ39d2I+ppE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WwPpKpR+px5HKk88o13tanPICXQbElDGr8bpfMLOwdyPzIPrGyGoiKJeQG/odpsb8 dPllXSDQ8H1c+JS1D/NDbISCpoqC+onJ8XqI9xHQGpRWOnXLNI3WNCKbesYhy1UBZY JQBs3qTJs8+nyDZPIf/BLQ71l/v6p6adDrqoxSquO/YfQ675XfEwtKGUIA7RBWCmii PPu6j5UzeC47X4zh/cjBY67sBxMvPTyFzGAHK9Ea987rbwzt6RntiPe9VLwE+UWGUb Abz8uQtNOLZTsfjoLQaSDTL7ww+2x57YmkaLGIqE12z7nJjilN0xRYlGkXXoh6DU1p 54SQAtTrYzbow== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Lee Gibson , Kalle Valo , Sasha Levin , linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.19 33/55] wl1251: Fix possible buffer overflow in wl1251_cmd_scan Date: Tue, 6 Jul 2021 07:26:16 -0400 Message-Id: <20210706112638.2065023-33-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210706112638.2065023-1-sashal@kernel.org> References: <20210706112638.2065023-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lee Gibson [ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ] Function wl1251_cmd_scan calls memcpy without checking the length. Harden by checking the length is within the maximum allowed size. Signed-off-by: Lee Gibson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com Signed-off-by: Sasha Levin --- drivers/net/wireless/ti/wl1251/cmd.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c index 9547aea01b0f..ea0215246c5c 100644 --- a/drivers/net/wireless/ti/wl1251/cmd.c +++ b/drivers/net/wireless/ti/wl1251/cmd.c @@ -466,9 +466,12 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len, cmd->channels[i].channel = channels[i]->hw_value; } - cmd->params.ssid_len = ssid_len; - if (ssid) - memcpy(cmd->params.ssid, ssid, ssid_len); + if (ssid) { + int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN); + + cmd->params.ssid_len = len; + memcpy(cmd->params.ssid, ssid, len); + } ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd)); if (ret < 0) { -- 2.30.2