From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Qing Xu <m1s5p6688@gmail.com>, Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 089/100] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
Date: Fri, 14 Feb 2020 11:24:13 -0500 [thread overview]
Message-ID: <20200214162425.21071-89-sashal@kernel.org> (raw)
In-Reply-To: <20200214162425.21071-1-sashal@kernel.org>
From: Qing Xu <m1s5p6688@gmail.com>
[ Upstream commit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d ]
mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().
Signed-off-by: Qing Xu <m1s5p6688@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mwifiex/scan.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c
index 39b78dc1bd92b..e7c8972431d34 100644
--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -2568,6 +2568,13 @@ mwifiex_cmd_append_vsie_tlv(struct mwifiex_private *priv,
vs_param_set->header.len =
cpu_to_le16((((u16) priv->vs_ie[id].ie[1])
& 0x00FF) + 2);
+ if (le16_to_cpu(vs_param_set->header.len) >
+ MWIFIEX_MAX_VSIE_LEN) {
+ mwifiex_dbg(priv->adapter, ERROR,
+ "Invalid param length!\n");
+ break;
+ }
+
memcpy(vs_param_set->ie, priv->vs_ie[id].ie,
le16_to_cpu(vs_param_set->header.len));
*buffer += le16_to_cpu(vs_param_set->header.len) +
--
2.20.1
prev parent reply other threads:[~2020-02-14 16:26 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200214162425.21071-1-sashal@kernel.org>
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 003/100] brcmfmac: Fix use after free in brcmf_sdio_readframes() Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 004/100] gianfar: Fix TX timestamping with a stacked DSA driver Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 017/100] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 018/100] libertas: make lbs_ibss_join_existing() return error code on rates overflow Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 037/100] NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 041/100] isdn: don't mark kcapi_proc_exit as __exit Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 043/100] b43legacy: Fix -Wcast-function-type Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 044/100] ipw2x00: " Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 045/100] iwlegacy: " Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 046/100] rtlwifi: rtl_pci: " Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 048/100] orinoco: avoid assertion in case of NULL pointer Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 057/100] tools lib api fs: Fix gcc9 stringop-truncation compilation error Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 065/100] wan: ixp4xx_hss: fix compile-testing on 64-bit Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 083/100] hostap: Adjust indentation in prism2_hostapd_add_sta Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 084/100] rtlwifi: rtl8821ae: remove unused variables Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 085/100] rtlwifi: rtl8192ee: " Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 086/100] rtlwifi: rtl8723ae: " Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 087/100] iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 088/100] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Sasha Levin
2020-02-14 16:24 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200214162425.21071-89-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=m1s5p6688@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).