From: Phil Turnbull <philipturnbull@github.com>
To: linux-wireless@vger.kernel.org
Cc: ajay.kathat@microchip.com, claudiu.beznea@microchip.com,
kvalo@kernel.org, Phil Turnbull <philipturnbull@github.com>
Subject: [PATCH 3/4] wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST attribute
Date: Wed, 23 Nov 2022 10:35:42 -0500 [thread overview]
Message-ID: <20221123153543.8568-4-philipturnbull@github.com> (raw)
In-Reply-To: <20221123153543.8568-1-philipturnbull@github.com>
Validate that the IEEE80211_P2P_ATTR_CHANNEL_LIST attribute contains
enough space for a 'struct wilc_attr_oper_ch'. If the attribute is too
small then it can trigger an out-of-bounds write later in the function.
'struct wilc_attr_oper_ch' is variable sized so also check 'attr_len'
does not extend beyond the end of 'buf'.
Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
---
drivers/net/wireless/microchip/wilc1000/cfg80211.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
index aedf0e8b69b9..c4d5a272ccc0 100644
--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
@@ -967,7 +967,8 @@ static inline void wilc_wfi_cfg_parse_ch_attr(u8 *buf, u32 len, u8 sta_ch)
if (index + sizeof(*e) + attr_size > len)
return;
- if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST)
+ if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST &&
+ attr_size >= (sizeof(struct wilc_attr_ch_list) - sizeof(*e)))
ch_list_idx = index;
else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL &&
attr_size == (sizeof(struct wilc_attr_oper_ch) - sizeof(*e)))
--
2.34.1
next prev parent reply other threads:[~2022-11-23 15:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-23 15:35 [PATCH 0/4] wilc1000: Improve RSN and attribute parsing Phil Turnbull
2022-11-23 15:35 ` [PATCH 1/4] wifi: wilc1000: validate pairwise and authentication suite offsets Phil Turnbull
2022-11-24 16:11 ` Kalle Valo
2022-11-23 15:35 ` [PATCH 2/4] wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_OPER_CHANNEL attribute Phil Turnbull
2022-11-23 15:35 ` Phil Turnbull [this message]
2022-11-23 15:35 ` [PATCH 4/4] wifi: wilc1000: validate number of channels Phil Turnbull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221123153543.8568-4-philipturnbull@github.com \
--to=philipturnbull@github.com \
--cc=ajay.kathat@microchip.com \
--cc=claudiu.beznea@microchip.com \
--cc=kvalo@kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.