* [PATCH v2] rtlwifi: Fix potential overflow on P2P code
@ 2019-10-18 11:43 Laura Abbott
2019-10-18 12:35 ` Pkshih
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Laura Abbott @ 2019-10-18 11:43 UTC (permalink / raw)
To: Ping-Ke Shih, Kalle Valo
Cc: Laura Abbott, David S . Miller, linux-wireless, netdev,
linux-kernel, Nicolas Waisman
Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bound noa_num against P2P_MAX_NOA_NUM.
Reported-by: Nicolas Waisman <nico@semmle.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
---
v2: Use P2P_MAX_NOA_NUM instead of erroring out.
---
drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
index 70f04c2f5b17..fff8dda14023 100644
--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
+++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
@@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
return;
} else {
noa_num = (noa_len - 2) / 13;
+ if (noa_num > P2P_MAX_NOA_NUM)
+ noa_num = P2P_MAX_NOA_NUM;
+
}
noa_index = ie[3];
if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
@@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
return;
} else {
noa_num = (noa_len - 2) / 13;
+ if (noa_num > P2P_MAX_NOA_NUM)
+ noa_num = P2P_MAX_NOA_NUM;
+
}
noa_index = ie[3];
if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
--
2.21.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code
2019-10-18 11:43 [PATCH v2] rtlwifi: Fix potential overflow on P2P code Laura Abbott
@ 2019-10-18 12:35 ` Pkshih
2019-10-19 10:57 ` Kalle Valo
2019-10-19 10:51 ` Kalle Valo
2019-10-23 10:31 ` Kalle Valo
2 siblings, 1 reply; 7+ messages in thread
From: Pkshih @ 2019-10-18 12:35 UTC (permalink / raw)
To: labbott, kvalo; +Cc: linux-wireless, davem, netdev, linux-kernel, nico
On Fri, 2019-10-18 at 07:43 -0400, Laura Abbott wrote:
> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
>
> Reported-by: Nicolas Waisman <nico@semmle.com>
> Signed-off-by: Laura Abbott <labbott@redhat.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
and Please CC to stable
Cc: Stable <stable@vger.kernel.org> # 4.4+
---
Hi Kalle,
This bug was existing since v3.10, and directory of wireless drivers were
moved at v4.4. Do I need send another patch to fix this issue for longterm
kernel v3.16.75?
Thanks
PK
> ---
> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
> ---
> drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c
> b/drivers/net/wireless/realtek/rtlwifi/ps.c
> index 70f04c2f5b17..fff8dda14023 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void
> *data,
> return;
> } else {
> noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
> +
> }
> noa_index = ie[3];
> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw,
> void *data,
> return;
> } else {
> noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
> +
> }
> noa_index = ie[3];
> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code
2019-10-18 12:35 ` Pkshih
@ 2019-10-19 10:57 ` Kalle Valo
0 siblings, 0 replies; 7+ messages in thread
From: Kalle Valo @ 2019-10-19 10:57 UTC (permalink / raw)
To: Pkshih; +Cc: labbott, linux-wireless, davem, netdev, linux-kernel, nico
Pkshih <pkshih@realtek.com> writes:
> On Fri, 2019-10-18 at 07:43 -0400, Laura Abbott wrote:
>> Nicolas Waisman noticed that even though noa_len is checked for
>> a compatible length it's still possible to overrun the buffers
>> of p2pinfo since there's no check on the upper bound of noa_num.
>> Bound noa_num against P2P_MAX_NOA_NUM.
>>
>> Reported-by: Nicolas Waisman <nico@semmle.com>
>> Signed-off-by: Laura Abbott <labbott@redhat.com>
>
> Acked-by: Ping-Ke Shih <pkshih@realtek.com>
> and Please CC to stable
> Cc: Stable <stable@vger.kernel.org> # 4.4+
>
> ---
>
> Hi Kalle,
>
> This bug was existing since v3.10, and directory of wireless drivers were
> moved at v4.4. Do I need send another patch to fix this issue for longterm
> kernel v3.16.75?
Yeah, I think you need to send a separate patch to the stable list
(after this commit is in Linus' tree).
--
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code
2019-10-18 11:43 [PATCH v2] rtlwifi: Fix potential overflow on P2P code Laura Abbott
2019-10-18 12:35 ` Pkshih
@ 2019-10-19 10:51 ` Kalle Valo
2019-10-19 19:02 ` Laura Abbott
2019-10-23 10:31 ` Kalle Valo
2 siblings, 1 reply; 7+ messages in thread
From: Kalle Valo @ 2019-10-19 10:51 UTC (permalink / raw)
To: Laura Abbott
Cc: Ping-Ke Shih, David S . Miller, linux-wireless, netdev,
linux-kernel, Nicolas Waisman
Laura Abbott <labbott@redhat.com> writes:
> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
>
> Reported-by: Nicolas Waisman <nico@semmle.com>
> Signed-off-by: Laura Abbott <labbott@redhat.com>
> ---
> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
> ---
> drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
> index 70f04c2f5b17..fff8dda14023 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
> return;
> } else {
> noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
> +
> }
> noa_index = ie[3];
> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
> return;
> } else {
> noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
IMHO using min() would be cleaner, but I'm fine with this as well. Up to
you.
--
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code
2019-10-19 10:51 ` Kalle Valo
@ 2019-10-19 19:02 ` Laura Abbott
2019-10-20 6:18 ` Kalle Valo
0 siblings, 1 reply; 7+ messages in thread
From: Laura Abbott @ 2019-10-19 19:02 UTC (permalink / raw)
To: Kalle Valo
Cc: Ping-Ke Shih, David S . Miller, linux-wireless, netdev,
linux-kernel, Nicolas Waisman
On 10/19/19 6:51 AM, Kalle Valo wrote:
> Laura Abbott <labbott@redhat.com> writes:
>
>> Nicolas Waisman noticed that even though noa_len is checked for
>> a compatible length it's still possible to overrun the buffers
>> of p2pinfo since there's no check on the upper bound of noa_num.
>> Bound noa_num against P2P_MAX_NOA_NUM.
>>
>> Reported-by: Nicolas Waisman <nico@semmle.com>
>> Signed-off-by: Laura Abbott <labbott@redhat.com>
>> ---
>> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
>> ---
>> drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
>> index 70f04c2f5b17..fff8dda14023 100644
>> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
>> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
>> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
>> return;
>> } else {
>> noa_num = (noa_len - 2) / 13;
>> + if (noa_num > P2P_MAX_NOA_NUM)
>> + noa_num = P2P_MAX_NOA_NUM;
>> +
>> }
>> noa_index = ie[3];
>> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
>> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
>> return;
>> } else {
>> noa_num = (noa_len - 2) / 13;
>> + if (noa_num > P2P_MAX_NOA_NUM)
>> + noa_num = P2P_MAX_NOA_NUM;
>
> IMHO using min() would be cleaner, but I'm fine with this as well. Up to
> you.
>
I believe the intention is to re-write this anyway so I'd prefer to
just get this in given the uptick this issue seems to have gotten.
Thanks,
Laura
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code
2019-10-19 19:02 ` Laura Abbott
@ 2019-10-20 6:18 ` Kalle Valo
0 siblings, 0 replies; 7+ messages in thread
From: Kalle Valo @ 2019-10-20 6:18 UTC (permalink / raw)
To: Laura Abbott
Cc: Ping-Ke Shih, David S . Miller, linux-wireless, netdev,
linux-kernel, Nicolas Waisman
Laura Abbott <labbott@redhat.com> writes:
> On 10/19/19 6:51 AM, Kalle Valo wrote:
>> Laura Abbott <labbott@redhat.com> writes:
>>
>>> Nicolas Waisman noticed that even though noa_len is checked for
>>> a compatible length it's still possible to overrun the buffers
>>> of p2pinfo since there's no check on the upper bound of noa_num.
>>> Bound noa_num against P2P_MAX_NOA_NUM.
>>>
>>> Reported-by: Nicolas Waisman <nico@semmle.com>
>>> Signed-off-by: Laura Abbott <labbott@redhat.com>
>>> ---
>>> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
>>> ---
>>> drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
>>> 1 file changed, 6 insertions(+)
>>>
>>> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> index 70f04c2f5b17..fff8dda14023 100644
>>> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
>>> return;
>>> } else {
>>> noa_num = (noa_len - 2) / 13;
>>> + if (noa_num > P2P_MAX_NOA_NUM)
>>> + noa_num = P2P_MAX_NOA_NUM;
>>> +
>>> }
>>> noa_index = ie[3];
>>> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
>>> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
>>> return;
>>> } else {
>>> noa_num = (noa_len - 2) / 13;
>>> + if (noa_num > P2P_MAX_NOA_NUM)
>>> + noa_num = P2P_MAX_NOA_NUM;
>>
>> IMHO using min() would be cleaner, but I'm fine with this as well. Up to
>> you.
>>
>
> I believe the intention is to re-write this anyway so I'd prefer to
> just get this in given the uptick this issue seems to have gotten.
Ok, I'll queue this to v5.4.
--
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code
2019-10-18 11:43 [PATCH v2] rtlwifi: Fix potential overflow on P2P code Laura Abbott
2019-10-18 12:35 ` Pkshih
2019-10-19 10:51 ` Kalle Valo
@ 2019-10-23 10:31 ` Kalle Valo
2 siblings, 0 replies; 7+ messages in thread
From: Kalle Valo @ 2019-10-23 10:31 UTC (permalink / raw)
To: Laura Abbott
Cc: Ping-Ke Shih, Laura Abbott, David S . Miller, linux-wireless,
netdev, linux-kernel, Nicolas Waisman
Laura Abbott <labbott@redhat.com> wrote:
> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
>
> Reported-by: Nicolas Waisman <nico@semmle.com>
> Signed-off-by: Laura Abbott <labbott@redhat.com>
> Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Patch applied to wireless-drivers.git, thanks.
8c55dedb795b rtlwifi: Fix potential overflow on P2P code
--
https://patchwork.kernel.org/patch/11198315/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-10-23 10:31 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-18 11:43 [PATCH v2] rtlwifi: Fix potential overflow on P2P code Laura Abbott
2019-10-18 12:35 ` Pkshih
2019-10-19 10:57 ` Kalle Valo
2019-10-19 10:51 ` Kalle Valo
2019-10-19 19:02 ` Laura Abbott
2019-10-20 6:18 ` Kalle Valo
2019-10-23 10:31 ` Kalle Valo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).