From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Takashi Iwai <tiwai@suse.de>,
huangwen <huangwen@venustech.com.cn>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 06/21] mwifiex: Fix possible buffer overflows at parsing bss descriptor
Date: Wed, 26 Jun 2019 20:41:06 -0400 [thread overview]
Message-ID: <20190627004122.21671-6-sashal@kernel.org> (raw)
In-Reply-To: <20190627004122.21671-1-sashal@kernel.org>
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 ]
mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
a couple places without checking the destination size. Since the
source is given from user-space, this may trigger a heap buffer
overflow.
Fix it by putting the length check before performing memcpy().
This fix addresses CVE-2019-3846.
Reported-by: huangwen <huangwen@venustech.com.cn>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/scan.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
index 78d59a67f7e1..674ad3405646 100644
--- a/drivers/net/wireless/marvell/mwifiex/scan.c
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
@@ -1236,6 +1236,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
}
switch (element_id) {
case WLAN_EID_SSID:
+ if (element_len > IEEE80211_MAX_SSID_LEN)
+ return -EINVAL;
bss_entry->ssid.ssid_len = element_len;
memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
element_len);
@@ -1245,6 +1247,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
break;
case WLAN_EID_SUPP_RATES:
+ if (element_len > MWIFIEX_SUPPORTED_RATES)
+ return -EINVAL;
memcpy(bss_entry->data_rates, current_ptr + 2,
element_len);
memcpy(bss_entry->supported_rates, current_ptr + 2,
--
2.20.1
next prev parent reply other threads:[~2019-06-27 0:44 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20190627004122.21671-1-sashal@kernel.org>
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 02/21] samples, bpf: fix to change the buffer size for read() Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 04/21] mac80211: mesh: fix RCU warning Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 05/21] mac80211: free peer keys before vif down in mesh Sasha Levin
2019-06-27 0:41 ` Sasha Levin [this message]
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 07/21] mwifiex: Abort at too short BSS descriptor element Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 08/21] netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 09/21] netfilter: ipv6: nf_defrag: accept duplicate fragments again Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 10/21] dt-bindings: can: mcp251x: add mcp25625 support Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 11/21] can: mcp251x: add support for mcp25625 Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 14/21] mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 17/21] mac80211: only warn once on chanctx_conf being NULL Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 19/21] bnx2x: Check if transceiver implements DDM before access Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 20/21] ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL Sasha Levin
2019-06-27 0:41 ` [PATCH AUTOSEL 4.9 21/21] net :sunrpc :clnt :Fix xps refcount imbalance on the error path Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190627004122.21671-6-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=huangwen@venustech.com.cn \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).