From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
To: Brian Norris <briannorris@chromium.org>,
Kalle Valo <kvalo@kernel.org>,
Amitkumar Karwar <akarwar@marvell.com>,
Xinming Hu <huxm@marvell.com>, Dan Williams <dcbw@redhat.com>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
linux-hardening@vger.kernel.org
Subject: [PATCH 3/3] wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len
Date: Wed, 23 Aug 2023 16:33:19 -0600 [thread overview]
Message-ID: <587423b0737108effe82aefed4407daca39e9a51.1692829410.git.gustavoars@kernel.org> (raw)
In-Reply-To: <cover.1692829410.git.gustavoars@kernel.org>
Add sanity checks for both `tlv_len` and `tlv_bitmap_len` before
decoding data from `event_buf`.
This prevents any malicious or buggy firmware from overflowing
`event_buf` through large values for `tlv_len` or `tlv_bitmap_len`.
Suggested-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
.../net/wireless/marvell/mwifiex/11n_rxreorder.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
index 735aac52bdc4..9ee3b9f1e9ce 100644
--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
@@ -921,6 +921,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv,
while (tlv_buf_left > sizeof(*tlv_rxba)) {
tlv_type = le16_to_cpu(tlv_rxba->header.type);
tlv_len = le16_to_cpu(tlv_rxba->header.len);
+ if (size_add(sizeof(tlv_rxba->header), tlv_len) > tlv_buf_left) {
+ mwifiex_dbg(priv->adapter, WARN,
+ "TLV size (%ld) overflows event_buf (%d)\n",
+ size_add(sizeof(tlv_rxba->header), tlv_len),
+ tlv_buf_left);
+ return;
+ }
+
if (tlv_type != TLV_TYPE_RXBA_SYNC) {
mwifiex_dbg(priv->adapter, ERROR,
"Wrong TLV id=0x%x\n", tlv_type);
@@ -929,6 +937,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv,
tlv_seq_num = le16_to_cpu(tlv_rxba->seq_num);
tlv_bitmap_len = le16_to_cpu(tlv_rxba->bitmap_len);
+ if (size_add(sizeof(*tlv_rxba), tlv_bitmap_len) > tlv_buf_left) {
+ mwifiex_dbg(priv->adapter, WARN,
+ "TLV size (%ld) overflows event_buf (%d)\n",
+ size_add(sizeof(*tlv_rxba), tlv_bitmap_len),
+ tlv_buf_left);
+ return;
+ }
+
mwifiex_dbg(priv->adapter, INFO,
"%pM tid=%d seq_num=%d bitmap_len=%d\n",
tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num,
--
2.34.1
next prev parent reply other threads:[~2023-08-23 22:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-23 22:29 [PATCH 0/3] wifi: mwifiex: Fix tlv_buf_left calculation and replace one-element array Gustavo A. R. Silva
2023-08-23 22:30 ` [PATCH 1/3] wifi: mwifiex: Fix tlv_buf_left calculation Gustavo A. R. Silva
2023-08-23 22:37 ` Justin Stitt
2023-08-23 22:32 ` [PATCH 2/3] wifi: mwifiex: Replace one-element array with flexible-array member in struct mwifiex_ie_types_rxba_sync Gustavo A. R. Silva
2023-08-23 22:38 ` Justin Stitt
2023-08-23 22:33 ` Gustavo A. R. Silva [this message]
2023-08-23 22:38 ` [PATCH 3/3] wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len Justin Stitt
2023-08-24 1:07 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=587423b0737108effe82aefed4407daca39e9a51.1692829410.git.gustavoars@kernel.org \
--to=gustavoars@kernel.org \
--cc=akarwar@marvell.com \
--cc=briannorris@chromium.org \
--cc=dcbw@redhat.com \
--cc=huxm@marvell.com \
--cc=kvalo@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.