From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Qing Xu <m1s5p6688@gmail.com>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 46/52] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()
Date: Thu, 13 Feb 2020 07:21:27 -0800 [thread overview]
Message-ID: <20200213151828.881124833@linuxfoundation.org> (raw)
In-Reply-To: <20200213151810.331796857@linuxfoundation.org>
From: Qing Xu <m1s5p6688@gmail.com>
[ Upstream commit 3a9b153c5591548612c3955c9600a98150c81875 ]
mwifiex_ret_wmm_get_status() calls memcpy() without checking the
destination size.Since the source is given from remote AP which
contains illegal wmm elements , this may trigger a heap buffer
overflow.
Fix it by putting the length check before calling memcpy().
Signed-off-by: Qing Xu <m1s5p6688@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/wmm.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/wmm.c b/drivers/net/wireless/marvell/mwifiex/wmm.c
index 64916ba15df5d..429ea2752e6aa 100644
--- a/drivers/net/wireless/marvell/mwifiex/wmm.c
+++ b/drivers/net/wireless/marvell/mwifiex/wmm.c
@@ -977,6 +977,10 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private *priv,
"WMM Parameter Set Count: %d\n",
wmm_param_ie->qos_info_bitmap & mask);
+ if (wmm_param_ie->vend_hdr.len + 2 >
+ sizeof(struct ieee_types_wmm_parameter))
+ break;
+
memcpy((u8 *) &priv->curr_bss_params.bss_descriptor.
wmm_ie, wmm_param_ie,
wmm_param_ie->vend_hdr.len + 2);
--
2.20.1
next prev parent reply other threads:[~2020-02-13 15:49 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-13 15:20 [PATCH 4.19 00/52] 4.19.104-stable review Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 01/52] ASoC: pcm: update FE/BE trigger order based on the command Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 02/52] hv_sock: Remove the accept port restriction Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 03/52] IB/mlx4: Fix memory leak in add_gid error flow Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 04/52] RDMA/netlink: Do not always generate an ACK for some netlink operations Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 05/52] RDMA/core: Fix locking in ib_uverbs_event_read Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 06/52] RDMA/uverbs: Verify MR access flags Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 07/52] scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 08/52] PCI/IOV: Fix memory leak in pci_iov_add_virtfn() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 09/52] ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 10/52] PCI/switchtec: Fix vep_vector_number ioread width Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 11/52] PCI: Dont disable bridge BARs when assigning bus resources Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 12/52] nfs: NFS_SWAP should depend on SWAP Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 13/52] NFS: Revalidate the file size on a fatal write error Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 14/52] NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 15/52] NFSv4: try lease recovery on NFS4ERR_EXPIRED Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 16/52] serial: uartps: Add a timeout to the tx empty wait Greg Kroah-Hartman
2020-02-13 18:22 ` Pavel Machek
2020-02-13 18:29 ` Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 17/52] gpio: zynq: Report gpio direction at boot Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.19 18/52] spi: spi-mem: Add extra sanity checks on the op param Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 19/52] spi: spi-mem: Fix inverted logic in op sanity check Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 20/52] rtc: hym8563: Return -EINVAL if the time is known to be invalid Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 21/52] rtc: cmos: Stop using shared IRQ Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 22/52] ARC: [plat-axs10x]: Add missing multicast filter number to GMAC node Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 23/52] platform/x86: intel_mid_powerbtn: Take a copy of ddata Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 24/52] ARM: dts: at91: Reenable UART TX pull-ups Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 25/52] ARM: dts: am43xx: add support for clkout1 clock Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 26/52] ARM: dts: at91: sama5d3: fix maximum peripheral clock rates Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 27/52] ARM: dts: at91: sama5d3: define clock rate range for tcb1 Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 28/52] tools/power/acpi: fix compilation error Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 29/52] powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 30/52] powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 31/52] iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 32/52] KVM: arm/arm64: vgic-its: Fix restoration of unmapped collections Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 33/52] ARM: 8949/1: mm: mark free_memmap as __init Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 34/52] arm64: cpufeature: Fix the type of no FP/SIMD capability Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 35/52] arm64: ptrace: nofpsimd: Fail FP/SIMD regset operations Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 36/52] KVM: arm/arm64: Fix young bit from mmu notifier Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 37/52] KVM: arm: Fix DFSR setting for non-LPAE aarch32 guests Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 38/52] KVM: arm: Make inject_abt32() inject an external abort instead Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 39/52] KVM: arm64: pmu: Dont increment SW_INCR if PMCR.E is unset Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 40/52] mtd: onenand_base: Adjust indentation in onenand_read_ops_nolock Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 41/52] mtd: sharpslpart: Fix unsigned comparison to zero Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 42/52] crypto: artpec6 - return correct error code for failed setkey() Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 43/52] crypto: atmel-sha - fix error handling when setting hmac key Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 44/52] media: i2c: adv748x: Fix unsafe macros Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 45/52] pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B Greg Kroah-Hartman
2020-02-13 15:21 ` Greg Kroah-Hartman [this message]
2020-02-13 15:21 ` [PATCH 4.19 47/52] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 48/52] libertas: dont exit from lbs_ibss_join_existing() with RCU read lock held Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 49/52] libertas: make lbs_ibss_join_existing() return error code on rates overflow Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 50/52] scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 51/52] x86/stackframe: Move ENCODE_FRAME_POINTER to asm/frame.h Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.19 52/52] x86/stackframe, x86/ftrace: Add pt_regs frame annotations Greg Kroah-Hartman
2020-02-13 16:53 ` [PATCH 4.19 00/52] 4.19.104-stable review Chris Paterson
2020-02-14 0:46 ` shuah
2020-02-14 5:28 ` Guenter Roeck
2020-02-14 6:30 ` Greg Kroah-Hartman
2020-02-14 10:26 ` Jon Hunter
2020-02-14 10:49 ` Naresh Kamboju
2020-02-14 16:27 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200213151828.881124833@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=m1s5p6688@gmail.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).