From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, huangwen <huangwenabc@gmail.com>,
Ganapathi Bhat <gbhat@marvell.com>,
Kalle Valo <kvalo@codeaurora.org>,
Ben Hutchings <ben.hutchings@codethink.co.uk>
Subject: [PATCH 4.9 25/31] mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
Date: Tue, 14 Jan 2020 11:02:17 +0100 [thread overview]
Message-ID: <20200114094344.665329691@linuxfoundation.org> (raw)
In-Reply-To: <20200114094334.725604663@linuxfoundation.org>
From: Ganapathi Bhat <gbhat@marvell.com>
commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream.
mwifiex_process_country_ie() function parse elements of bss
descriptor in beacon packet. When processing WLAN_EID_COUNTRY
element, there is no upper limit check for country_ie_len before
calling memcpy. The destination buffer domain_info->triplet is an
array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
attacker can build a fake AP with the same ssid as real AP, and
send malicous beacon packet with long WLAN_EID_COUNTRY elemen
(country_ie_len > 83). Attacker can force STA connect to fake AP
on a different channel. When the victim STA connects to fake AP,
will trigger the heap buffer overflow. Fix this by checking for
length and if found invalid, don not connect to the AP.
This fix addresses CVE-2019-14895.
Reported-by: huangwen <huangwenabc@gmail.com>
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
@@ -271,6 +271,14 @@ static int mwifiex_process_country_ie(st
"11D: skip setting domain info in FW\n");
return 0;
}
+
+ if (country_ie_len >
+ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
+ mwifiex_dbg(priv->adapter, ERROR,
+ "11D: country_ie_len overflow!, deauth AP\n");
+ return -EINVAL;
+ }
+
memcpy(priv->adapter->country_code, &country_ie[2], 2);
domain_info->country_code[0] = country_ie[2];
@@ -314,8 +322,9 @@ int mwifiex_bss_start(struct mwifiex_pri
priv->scan_block = false;
if (bss) {
- if (adapter->region_code == 0x00)
- mwifiex_process_country_ie(priv, bss);
+ if (adapter->region_code == 0x00 &&
+ mwifiex_process_country_ie(priv, bss))
+ return -EINVAL;
/* Allocate and fill new bss descriptor */
bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
next prev parent reply other threads:[~2020-01-14 10:14 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 10:01 [PATCH 4.9 00/31] 4.9.210-stable review Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 4.9 01/31] kobject: Export kobject_get_unless_zero() Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 4.9 02/31] chardev: Avoid potential use-after-free in chrdev_open() Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 4.9 03/31] usb: chipidea: host: Disable port power only if previously enabled Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 4.9 04/31] ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 4.9 05/31] tcp: minimize false-positives on TCP/GRO check Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 4.9 06/31] kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 4.9 07/31] tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 08/31] HID: Fix slab-out-of-bounds read in hid_field_extract Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 09/31] HID: uhid: Fix returning EPOLLOUT from uhid_char_poll Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 10/31] HID: hid-input: clear unmapped usages Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 11/31] Input: add safety guards to input_set_keycode() Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 12/31] drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 13/31] can: gs_usb: gs_usb_probe(): use descriptors of current altsetting Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 14/31] can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 15/31] can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 16/31] staging: vt6656: set usb_set_intfdata on driver fail Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 17/31] USB: serial: option: add ZLP support for 0x1bc7/0x9010 Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 18/31] usb: musb: fix idling for suspend after disconnect interrupt Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 19/31] usb: musb: Disable pullup at init Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 20/31] usb: musb: dma: Correct parameter passed to IRQ handler Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 21/31] staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 22/31] staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21 Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 23/31] tty: link tty and port before configuring it as console Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 24/31] tty: always relink the port Greg Kroah-Hartman
2020-01-14 10:02 ` Greg Kroah-Hartman [this message]
2020-01-14 10:02 ` [PATCH 4.9 26/31] mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 27/31] scsi: bfa: release allocated memory in case of error Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 28/31] rtl8xxxu: prevent leaking urb Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 29/31] USB: Fix: Dont skip endpoint descriptors with maxpacket=0 Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 30/31] netfilter: arp_tables: init netns pointer in xt_tgchk_param struct Greg Kroah-Hartman
2020-01-14 10:02 ` [PATCH 4.9 31/31] netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present Greg Kroah-Hartman
2020-01-14 15:01 ` [PATCH 4.9 00/31] 4.9.210-stable review Jon Hunter
2020-01-14 18:41 ` Guenter Roeck
2020-01-14 20:32 ` shuah
2020-01-15 2:08 ` Daniel Díaz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200114094344.665329691@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben.hutchings@codethink.co.uk \
--cc=gbhat@marvell.com \
--cc=huangwenabc@gmail.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).