[PATCH 4.19 094/120] staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: gregkh@linuxfoundation.org
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Lee Gibson <leegib@gmail.com>
Subject: [PATCH 4.19 094/120] staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd
Date: Mon, 15 Mar 2021 14:57:25 +0100	[thread overview]
Message-ID: <20210315135723.056930586@linuxfoundation.org> (raw)
In-Reply-To: <20210315135720.002213995@linuxfoundation.org>

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

From: Lee Gibson <leegib@gmail.com>

commit b93c1e3981af19527beee1c10a2bef67a228c48c upstream.

Function r8712_sitesurvey_cmd calls memcpy without checking the length.
A user could control that length and trigger a buffer overflow.
Fix by checking the length is within the maximum allowed size.

Signed-off-by: Lee Gibson <leegib@gmail.com>
Link: https://lore.kernel.org/r/20210301132648.420296-1-leegib@gmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/rtl8712/rtl871x_cmd.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/staging/rtl8712/rtl871x_cmd.c
+++ b/drivers/staging/rtl8712/rtl871x_cmd.c
@@ -242,8 +242,10 @@ u8 r8712_sitesurvey_cmd(struct _adapter
 	psurveyPara->ss_ssidlen = 0;
 	memset(psurveyPara->ss_ssid, 0, IW_ESSID_MAX_SIZE + 1);
 	if ((pssid != NULL) && (pssid->SsidLength)) {
-		memcpy(psurveyPara->ss_ssid, pssid->Ssid, pssid->SsidLength);
-		psurveyPara->ss_ssidlen = cpu_to_le32(pssid->SsidLength);
+		int len = min_t(int, pssid->SsidLength, IW_ESSID_MAX_SIZE);
+
+		memcpy(psurveyPara->ss_ssid, pssid->Ssid, len);
+		psurveyPara->ss_ssidlen = cpu_to_le32(len);
 	}
 	set_fwstate(pmlmepriv, _FW_UNDER_SURVEY);
 	r8712_enqueue_cmd(pcmdpriv, ph2c);

next prev parent reply	other threads:[~2021-03-15 14:31 UTC|newest]

Thread overview: 137+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-15 13:55 [PATCH 4.19 000/120] 4.19.181-rc1 review gregkh
2021-03-15 13:55 ` [PATCH 4.19 001/120] uapi: nfnetlink_cthelper.h: fix userspace compilation error gregkh
2021-03-15 13:55 ` [PATCH 4.19 002/120] ethernet: alx: fix order of calls on resume gregkh
2021-03-15 13:55 ` [PATCH 4.19 003/120] ath9k: fix transmitting to stations in dynamic SMPS mode gregkh
2021-03-15 13:55 ` [PATCH 4.19 004/120] net: Fix gro aggregation for udp encaps with zero csum gregkh
2021-03-15 13:55 ` [PATCH 4.19 005/120] net: Introduce parse_protocol header_ops callback gregkh
2021-03-15 13:55 ` [PATCH 4.19 006/120] can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership gregkh
2021-03-15 13:55 ` [PATCH 4.19 007/120] can: flexcan: assert FRZ bit in flexcan_chip_freeze() gregkh
2021-03-15 13:55 ` [PATCH 4.19 008/120] can: flexcan: enable RX FIFO after FRZ/HALT valid gregkh
2021-03-15 13:56 ` [PATCH 4.19 009/120] netfilter: x_tables: gpf inside xt_find_revision() gregkh
2021-03-15 13:56 ` [PATCH 4.19 010/120] mt76: dma: do not report truncated frames to mac80211 gregkh
2021-03-15 13:56 ` [PATCH 4.19 011/120] tcp: annotate tp->copied_seq lockless reads gregkh
2021-03-16  9:41   ` Pavel Machek
2021-03-16  9:48     ` Greg KH
2021-03-16  9:49     ` Eric Dumazet
2021-03-15 13:56 ` [PATCH 4.19 012/120] tcp: annotate tp->write_seq " gregkh
2021-03-16  9:50   ` Pavel Machek
2021-03-16  9:52     ` Eric Dumazet
2021-03-16  9:53     ` Pavel Machek
2021-03-16  9:59     ` Eric Dumazet
2021-03-15 13:56 ` [PATCH 4.19 013/120] tcp: add sanity tests to TCP_QUEUE_SEQ gregkh
2021-03-15 13:56 ` [PATCH 4.19 014/120] cifs: return proper error code in statfs(2) gregkh
2021-03-15 13:56 ` [PATCH 4.19 015/120] scripts/recordmcount.{c,pl}: support -ffunction-sections .text.* section names gregkh
2021-03-15 13:56 ` [PATCH 4.19 016/120] Revert "mm, slub: consider rest of partial list if acquire_slab() fails" gregkh
2021-03-15 13:56 ` [PATCH 4.19 017/120] sh_eth: fix TRSCER mask for SH771x gregkh
2021-03-15 13:56 ` [PATCH 4.19 018/120] net: check if protocol extracted by virtio_net_hdr_set_proto is correct gregkh
2021-03-15 13:56 ` [PATCH 4.19 019/120] net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 gregkh
2021-03-15 13:56 ` [PATCH 4.19 020/120] net/mlx4_en: update moderation when config reset gregkh
2021-03-15 13:56 ` [PATCH 4.19 021/120] net: stmmac: fix incorrect DMA channel intr enable setting of EQoS v4.10 gregkh
2021-03-15 13:56 ` [PATCH 4.19 022/120] net: sched: avoid duplicates in classes dump gregkh
2021-03-15 13:56 ` [PATCH 4.19 023/120] net: usb: qmi_wwan: allow qmimux add/del with master up gregkh
2021-03-15 13:56 ` [PATCH 4.19 024/120] cipso,calipso: resolve a number of problems with the DOI refcounts gregkh
2021-03-15 13:56 ` [PATCH 4.19 025/120] net: lapbether: Remove netif_start_queue / netif_stop_queue gregkh
2021-03-15 13:56 ` [PATCH 4.19 026/120] net: davicom: Fix regulator not turned off on failed probe gregkh
2021-03-15 13:56 ` [PATCH 4.19 027/120] net: davicom: Fix regulator not turned off on driver removal gregkh
2021-03-15 13:56 ` [PATCH 4.19 028/120] net: qrtr: fix error return code of qrtr_sendmsg() gregkh
2021-03-15 13:56 ` [PATCH 4.19 029/120] net: stmmac: stop each tx channel independently gregkh
2021-03-15 13:56 ` [PATCH 4.19 030/120] net: stmmac: fix watchdog timeout during suspend/resume stress test gregkh
2021-03-15 13:56 ` [PATCH 4.19 031/120] selftests: forwarding: Fix race condition in mirror installation gregkh
2021-03-15 13:56 ` [PATCH 4.19 032/120] perf traceevent: Ensure read cmdlines are null terminated gregkh
2021-03-15 13:56 ` [PATCH 4.19 033/120] s390/cio: return -EFAULT if copy_to_user() fails again gregkh
2021-03-15 13:56 ` [PATCH 4.19 034/120] drm/compat: Clear bounce structures gregkh
2021-03-15 13:56 ` [PATCH 4.19 035/120] drm: meson_drv add shutdown function gregkh
2021-03-15 13:56 ` [PATCH 4.19 036/120] s390/cio: return -EFAULT if copy_to_user() fails gregkh
2021-03-15 13:56 ` [PATCH 4.19 037/120] sh_eth: fix TRSCER mask for R7S9210 gregkh
2021-03-15 13:56 ` [PATCH 4.19 038/120] media: usbtv: Fix deadlock on suspend gregkh
2021-03-15 13:56 ` [PATCH 4.19 039/120] media: v4l: vsp1: Fix uif null pointer access gregkh
2021-03-15 13:56 ` [PATCH 4.19 040/120] media: v4l: vsp1: Fix bru " gregkh
2021-03-15 13:56 ` [PATCH 4.19 041/120] net: phy: fix save wrong speed and duplex problem if autoneg is on gregkh
2021-03-15 13:56 ` [PATCH 4.19 042/120] i2c: rcar: optimize cacheline to minimize HW race condition gregkh
2021-03-15 13:56 ` [PATCH 4.19 043/120] udf: fix silent AED tagLocation corruption gregkh
2021-03-15 13:56 ` [PATCH 4.19 044/120] mmc: mxs-mmc: Fix a resource leak in an error handling path in mxs_mmc_probe() gregkh
2021-03-15 13:56 ` [PATCH 4.19 045/120] mmc: mediatek: fix race condition between msdc_request_timeout and irq gregkh
2021-03-15 13:56 ` [PATCH 4.19 046/120] powerpc/pci: Add ppc_md.discover_phbs() gregkh
2021-03-15 13:56 ` [PATCH 4.19 047/120] powerpc: improve handling of unrecoverable system reset gregkh
2021-03-15 13:56 ` [PATCH 4.19 048/120] powerpc/perf: Record counter overflow always if SAMPLE_IP is unset gregkh
2021-03-15 13:56 ` [PATCH 4.19 049/120] sparc32: Limit memblock allocation to low memory gregkh
2021-03-15 13:56 ` [PATCH 4.19 050/120] sparc64: Use arch_validate_flags() to validate ADI flag gregkh
2021-03-15 13:56 ` [PATCH 4.19 051/120] PCI: xgene-msi: Fix race in installing chained irq handler gregkh
2021-03-15 13:56 ` [PATCH 4.19 052/120] PCI: mediatek: Add missing of_node_put() to fix reference leak gregkh
2021-03-15 13:56 ` [PATCH 4.19 053/120] PCI: Fix pci_register_io_range() memory leak gregkh
2021-03-15 13:56 ` [PATCH 4.19 054/120] i40e: Fix memory leak in i40e_probe gregkh
2021-03-15 13:56 ` [PATCH 4.19 055/120] s390/smp: __smp_rescan_cpus() - move cpumask away from stack gregkh
2021-03-15 13:56 ` [PATCH 4.19 056/120] scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling gregkh
2021-03-15 13:56 ` [PATCH 4.19 057/120] scsi: target: core: Add cmd length set before cmd complete gregkh
2021-03-15 13:56 ` [PATCH 4.19 058/120] scsi: target: core: Prevent underflow for service actions gregkh
2021-03-15 13:56 ` [PATCH 4.19 059/120] ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk gregkh
2021-03-15 13:56 ` [PATCH 4.19 060/120] ALSA: hda/hdmi: Cancel pending works before suspend gregkh
2021-03-15 13:56 ` [PATCH 4.19 061/120] ALSA: hda: Drop the BATCH workaround for AMD controllers gregkh
2021-03-15 13:56 ` [PATCH 4.19 062/120] ALSA: hda: Avoid spurious unsol event handling during S3/S4 gregkh
2021-03-15 13:56 ` [PATCH 4.19 063/120] ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar gregkh
2021-03-15 13:56 ` [PATCH 4.19 064/120] ALSA: usb-audio: Apply the control quirk to Plantronics headsets gregkh
2021-03-15 13:56 ` [PATCH 4.19 065/120] Revert 95ebabde382c ("capabilities: Dont allow writing ambiguous v3 file capabilities") gregkh
2021-03-15 13:56 ` [PATCH 4.19 066/120] s390/dasd: fix hanging DASD driver unbind gregkh
2021-03-15 13:56 ` [PATCH 4.19 067/120] s390/dasd: fix hanging IO request during " gregkh
2021-03-15 13:56 ` [PATCH 4.19 068/120] mmc: core: Fix partition switch time for eMMC gregkh
2021-03-15 13:57 ` [PATCH 4.19 069/120] mmc: cqhci: Fix random crash when remove mmc module/card gregkh
2021-03-15 13:57 ` [PATCH 4.19 070/120] Goodix Fingerprint device is not a modem gregkh
2021-03-15 13:57 ` [PATCH 4.19 071/120] USB: gadget: u_ether: Fix a configfs return code gregkh
2021-03-15 13:57 ` [PATCH 4.19 072/120] usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot gregkh
2021-03-15 13:57 ` [PATCH 4.19 073/120] usb: gadget: f_uac1: stop playback on function disable gregkh
2021-03-15 13:57 ` [PATCH 4.19 074/120] usb: dwc3: qcom: Honor wakeup enabled/disabled state gregkh
2021-03-15 13:57 ` [PATCH 4.19 075/120] USB: usblp: fix a hang in poll() if disconnected gregkh
2021-03-15 13:57 ` [PATCH 4.19 076/120] usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM gregkh
2021-03-15 13:57 ` [PATCH 4.19 077/120] xhci: Improve detection of device initiated wake signal gregkh
2021-03-15 13:57 ` [PATCH 4.19 078/120] usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing gregkh
2021-03-15 13:57 ` [PATCH 4.19 079/120] USB: serial: io_edgeport: fix memory leak in edge_startup gregkh
2021-03-15 13:57 ` [PATCH 4.19 080/120] USB: serial: ch341: add new Product ID gregkh
2021-03-15 13:57 ` [PATCH 4.19 081/120] USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter gregkh
2021-03-15 13:57 ` [PATCH 4.19 082/120] USB: serial: cp210x: add some more GE USB IDs gregkh
2021-03-15 13:57 ` [PATCH 4.19 083/120] usbip: fix stub_dev to check for stream socket gregkh
2021-03-15 13:57 ` [PATCH 4.19 084/120] usbip: fix vhci_hcd " gregkh
2021-03-15 13:57 ` [PATCH 4.19 085/120] usbip: fix vudc " gregkh
2021-03-15 13:57 ` [PATCH 4.19 086/120] usbip: fix stub_dev usbip_sockfd_store() races leading to gpf gregkh
2021-03-15 13:57 ` [PATCH 4.19 087/120] usbip: fix vhci_hcd attach_store() " gregkh
2021-03-15 13:57 ` [PATCH 4.19 088/120] usbip: fix vudc usbip_sockfd_store " gregkh
2021-03-15 13:57 ` [PATCH 4.19 089/120] staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan() gregkh
2021-03-15 13:57 ` [PATCH 4.19 090/120] staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan() gregkh
2021-03-15 13:57 ` [PATCH 4.19 091/120] staging: rtl8712: unterminated string leads to read overflow gregkh
2021-03-15 13:57 ` [PATCH 4.19 092/120] staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data() gregkh
2021-03-15 13:57 ` [PATCH 4.19 093/120] staging: ks7010: prevent buffer overflow in ks_wlan_set_scan() gregkh
2021-03-15 13:57 ` gregkh [this message]
2021-03-15 13:57 ` [PATCH 4.19 095/120] staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan gregkh
2021-03-15 13:57 ` [PATCH 4.19 096/120] staging: comedi: addi_apci_1032: Fix endian problem for COS sample gregkh
2021-03-15 13:57 ` [PATCH 4.19 097/120] staging: comedi: addi_apci_1500: Fix endian problem for command sample gregkh
2021-03-15 13:57 ` [PATCH 4.19 098/120] staging: comedi: adv_pci1710: Fix endian problem for AI command data gregkh
2021-03-15 13:57 ` [PATCH 4.19 099/120] staging: comedi: das6402: " gregkh
2021-03-15 13:57 ` [PATCH 4.19 100/120] staging: comedi: das800: " gregkh
2021-03-15 13:57 ` [PATCH 4.19 101/120] staging: comedi: dmm32at: " gregkh
2021-03-15 13:57 ` [PATCH 4.19 102/120] staging: comedi: me4000: " gregkh
2021-03-15 13:57 ` [PATCH 4.19 103/120] staging: comedi: pcl711: " gregkh
2021-03-15 13:57 ` [PATCH 4.19 104/120] staging: comedi: pcl818: " gregkh
2021-03-15 13:57 ` [PATCH 4.19 105/120] sh_eth: fix TRSCER mask for R7S72100 gregkh
2021-03-15 13:57 ` [PATCH 4.19 106/120] NFSv4.2: fix return value of _nfs4_get_security_label() gregkh
2021-03-15 13:57 ` [PATCH 4.19 107/120] block: rsxx: fix error return code of rsxx_pci_probe() gregkh
2021-03-15 13:57 ` [PATCH 4.19 108/120] configfs: fix a use-after-free in __configfs_open_file gregkh
2021-03-15 13:57 ` [PATCH 4.19 109/120] hrtimer: Update softirq_expires_next correctly after __hrtimer_get_next_event() gregkh
2021-03-15 13:57 ` [PATCH 4.19 110/120] stop_machine: mark helpers __always_inline gregkh
2021-03-15 13:57 ` [PATCH 4.19 111/120] include/linux/sched/mm.h: use rcu_dereference in in_vfork() gregkh
2021-03-15 13:57 ` [PATCH 4.19 112/120] prctl: fix PR_SET_MM_AUXV kernel stack leak gregkh
2021-03-15 13:57 ` [PATCH 4.19 113/120] powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() gregkh
2021-03-15 13:57 ` [PATCH 4.19 114/120] binfmt_misc: fix possible deadlock in bm_register_write gregkh
2021-03-15 13:57 ` [PATCH 4.19 115/120] x86/unwind/orc: Disable KASAN checking in the ORC unwinder, part 2 gregkh
2021-03-15 13:57 ` [PATCH 4.19 116/120] hwmon: (lm90) Fix max6658 sporadic wrong temperature reading gregkh
2021-03-15 13:57 ` [PATCH 4.19 117/120] KVM: arm64: Fix exclusive limit for IPA size gregkh
2021-03-15 13:57 ` [PATCH 4.19 118/120] xen/events: reset affinity of 2-level event when tearing it down gregkh
2021-03-15 13:57 ` [PATCH 4.19 119/120] xen/events: dont unmask an event channel when an eoi is pending gregkh
2021-03-15 13:57 ` [PATCH 4.19 120/120] xen/events: avoid handling the same event on two cpus at the same time gregkh
2021-03-15 21:38 ` [PATCH 4.19 000/120] 4.19.181-rc1 review Pavel Machek
2021-03-15 22:57 ` Jason Self
2021-03-16  9:33 ` Naresh Kamboju
2021-03-16 21:13 ` Guenter Roeck
2021-03-17  1:11 ` Samuel Zou
2021-03-17  2:57 ` Ross Schmidt
2021-03-18 11:59 ` Samuel Zou
2021-03-19  9:41   ` Greg KH
2021-03-19  1:50 ` Samuel Zou

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210315135723.056930586@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=leegib@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).