From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Qing Xu <m1s5p6688@gmail.com>, Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 125/141] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
Date: Fri, 14 Feb 2020 11:21:05 -0500 [thread overview]
Message-ID: <20200214162122.19794-125-sashal@kernel.org> (raw)
In-Reply-To: <20200214162122.19794-1-sashal@kernel.org>
From: Qing Xu <m1s5p6688@gmail.com>
[ Upstream commit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d ]
mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().
Signed-off-by: Qing Xu <m1s5p6688@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/scan.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
index 828c6f5eb83c8..5fde2e2f1fea8 100644
--- a/drivers/net/wireless/marvell/mwifiex/scan.c
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
@@ -2878,6 +2878,13 @@ mwifiex_cmd_append_vsie_tlv(struct mwifiex_private *priv,
vs_param_set->header.len =
cpu_to_le16((((u16) priv->vs_ie[id].ie[1])
& 0x00FF) + 2);
+ if (le16_to_cpu(vs_param_set->header.len) >
+ MWIFIEX_MAX_VSIE_LEN) {
+ mwifiex_dbg(priv->adapter, ERROR,
+ "Invalid param length!\n");
+ break;
+ }
+
memcpy(vs_param_set->ie, priv->vs_ie[id].ie,
le16_to_cpu(vs_param_set->header.len));
*buffer += le16_to_cpu(vs_param_set->header.len) +
--
2.20.1
next prev parent reply other threads:[~2020-02-14 16:36 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200214162122.19794-1-sashal@kernel.org>
2020-02-14 16:19 ` [PATCH AUTOSEL 4.9 006/141] brcmfmac: Fix use after free in brcmf_sdio_readframes() Sasha Levin
2020-02-14 16:19 ` [PATCH AUTOSEL 4.9 007/141] gianfar: Fix TX timestamping with a stacked DSA driver Sasha Levin
2020-02-14 16:19 ` [PATCH AUTOSEL 4.9 028/141] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Sasha Levin
2020-02-14 16:19 ` [PATCH AUTOSEL 4.9 029/141] libertas: make lbs_ibss_join_existing() return error code on rates overflow Sasha Levin
2020-02-14 16:19 ` [PATCH AUTOSEL 4.9 049/141] net/wan/fsl_ucc_hdlc: reject muram offsets above 64K Sasha Levin
2020-02-14 16:19 ` [PATCH AUTOSEL 4.9 051/141] NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() Sasha Levin
2020-02-14 16:19 ` [PATCH AUTOSEL 4.9 058/141] isdn: don't mark kcapi_proc_exit as __exit Sasha Levin
2020-02-14 16:20 ` [PATCH AUTOSEL 4.9 061/141] b43legacy: Fix -Wcast-function-type Sasha Levin
2020-02-14 16:20 ` [PATCH AUTOSEL 4.9 062/141] ipw2x00: " Sasha Levin
2020-02-14 16:20 ` [PATCH AUTOSEL 4.9 063/141] iwlegacy: " Sasha Levin
2020-02-14 16:20 ` [PATCH AUTOSEL 4.9 064/141] rtlwifi: rtl_pci: " Sasha Levin
2020-02-14 16:20 ` [PATCH AUTOSEL 4.9 066/141] orinoco: avoid assertion in case of NULL pointer Sasha Levin
2020-02-14 16:20 ` [PATCH AUTOSEL 4.9 072/141] net/wan/fsl_ucc_hdlc: remove set but not used variables 'ut_info' and 'ret' Sasha Levin
2020-02-14 16:20 ` [PATCH AUTOSEL 4.9 079/141] tools lib api fs: Fix gcc9 stringop-truncation compilation error Sasha Levin
2020-02-14 16:20 ` [PATCH AUTOSEL 4.9 089/141] wan: ixp4xx_hss: fix compile-testing on 64-bit Sasha Levin
2020-02-14 16:20 ` [PATCH AUTOSEL 4.9 118/141] hostap: Adjust indentation in prism2_hostapd_add_sta Sasha Levin
2020-02-14 16:20 ` [PATCH AUTOSEL 4.9 119/141] rtlwifi: rtl8821ae: remove unused variables Sasha Levin
2020-02-14 16:21 ` [PATCH AUTOSEL 4.9 120/141] rtlwifi: rtl8192ee: " Sasha Levin
2020-02-14 16:21 ` [PATCH AUTOSEL 4.9 121/141] rtlwifi: rtl8723ae: " Sasha Levin
2020-02-14 16:21 ` [PATCH AUTOSEL 4.9 122/141] iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop Sasha Levin
2020-02-14 16:21 ` [PATCH AUTOSEL 4.9 124/141] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Sasha Levin
2020-02-14 16:21 ` Sasha Levin [this message]
2020-02-14 16:21 ` [PATCH AUTOSEL 4.9 137/141] iwlwifi: mvm: Fix thermal zone registration Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200214162122.19794-125-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=m1s5p6688@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).