diff options
Diffstat (limited to 'mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch')
-rw-r--r-- | mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch | 173 |
1 files changed, 0 insertions, 173 deletions
diff --git a/mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch b/mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch deleted file mode 100644 index c9a0f13a7..000000000 --- a/mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch +++ /dev/null @@ -1,173 +0,0 @@ -From patchwork Fri May 31 13:18:41 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de> -X-Patchwork-Id: 10970141 -X-Patchwork-Delegate: kvalo@adurom.com -Return-Path: <linux-wireless-owner@kernel.org> -Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org - [172.30.200.125]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A2FA614C0 - for <patchwork-linux-wireless@patchwork.kernel.org>; - Fri, 31 May 2019 13:19:19 +0000 (UTC) -Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) - by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 914E928CA2 - for <patchwork-linux-wireless@patchwork.kernel.org>; - Fri, 31 May 2019 13:19:19 +0000 (UTC) -Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) - id 858EA28CA3; Fri, 31 May 2019 13:19:19 +0000 (UTC) -X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on - pdx-wl-mail.web.codeaurora.org -X-Spam-Level: -X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, - RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C4AB628CB5 - for <patchwork-linux-wireless@patchwork.kernel.org>; - Fri, 31 May 2019 13:19:18 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1726687AbfEaNTR (ORCPT - <rfc822;patchwork-linux-wireless@patchwork.kernel.org>); - Fri, 31 May 2019 09:19:17 -0400 -Received: from mx2.suse.de ([195.135.220.15]:46148 "EHLO mx1.suse.de" - rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP - id S1726330AbfEaNTR (ORCPT <rfc822;linux-wireless@vger.kernel.org>); - Fri, 31 May 2019 09:19:17 -0400 -X-Virus-Scanned: by amavisd-new at test-mx.suse.de -Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx1.suse.de (Postfix) with ESMTP id A72A4AE4D; - Fri, 31 May 2019 13:19:15 +0000 (UTC) -From: Takashi Iwai <tiwai@suse.de> -To: Kalle Valo <kvalo@codeaurora.org> -Cc: Amitkumar Karwar <amitkarwar@gmail.com>, - Nishant Sarmukadam <nishants@marvell.com>, - Ganapathi Bhat <gbhat@marvell.com>, - Xinming Hu <huxinming820@gmail.com>, - huangwen <huangwen@venustech.com.cn>, - Solar Designer <solar@openwall.com>, - Marcus Meissner <meissner@suse.de>, - linux-wireless@vger.kernel.org -Subject: [PATCH] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() -Date: Fri, 31 May 2019 15:18:41 +0200 -Message-Id: <20190531131841.7552-1-tiwai@suse.de> -X-Mailer: git-send-email 2.16.4 -Sender: linux-wireless-owner@vger.kernel.org -Precedence: bulk -List-ID: <linux-wireless.vger.kernel.org> -X-Mailing-List: linux-wireless@vger.kernel.org -X-Virus-Scanned: ClamAV using ClamSMTP - -A few places in mwifiex_uap_parse_tail_ies() perform memcpy() -unconditionally, which may lead to either buffer overflow or read over -boundary. - -This patch addresses the issues by checking the read size and the -destination size at each place more properly. Along with the fixes, -the patch cleans up the code slightly by introducing a temporary -variable for the token size, and unifies the error path with the -standard goto statement. - -Reported-by: huangwen <huangwen@venustech.com.cn> -Signed-off-by: Takashi Iwai <tiwai@suse.de> ---- - drivers/net/wireless/marvell/mwifiex/ie.c | 47 ++++++++++++++++++++----------- - 1 file changed, 31 insertions(+), 16 deletions(-) - -diff --git a/drivers/net/wireless/marvell/mwifiex/ie.c b/drivers/net/wireless/marvell/mwifiex/ie.c -index 6845eb57b39a..653d347a9a19 100644 ---- a/drivers/net/wireless/marvell/mwifiex/ie.c -+++ b/drivers/net/wireless/marvell/mwifiex/ie.c -@@ -329,6 +329,8 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, - struct ieee80211_vendor_ie *vendorhdr; - u16 gen_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0; - int left_len, parsed_len = 0; -+ unsigned int token_len; -+ int err = 0; - - if (!info->tail || !info->tail_len) - return 0; -@@ -344,6 +346,12 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, - */ - while (left_len > sizeof(struct ieee_types_header)) { - hdr = (void *)(info->tail + parsed_len); -+ token_len = hdr->len + sizeof(struct ieee_types_header); -+ if (token_len > left_len) { -+ err = -EINVAL; -+ goto out; -+ } -+ - switch (hdr->element_id) { - case WLAN_EID_SSID: - case WLAN_EID_SUPP_RATES: -@@ -361,17 +369,20 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, - if (cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT, - WLAN_OUI_TYPE_MICROSOFT_WMM, - (const u8 *)hdr, -- hdr->len + sizeof(struct ieee_types_header))) -+ token_len)) - break; - /* fall through */ - default: -- memcpy(gen_ie->ie_buffer + ie_len, hdr, -- hdr->len + sizeof(struct ieee_types_header)); -- ie_len += hdr->len + sizeof(struct ieee_types_header); -+ if (ie_len + token_len > IEEE_MAX_IE_SIZE) { -+ err = -EINVAL; -+ goto out; -+ } -+ memcpy(gen_ie->ie_buffer + ie_len, hdr, token_len); -+ ie_len += token_len; - break; - } -- left_len -= hdr->len + sizeof(struct ieee_types_header); -- parsed_len += hdr->len + sizeof(struct ieee_types_header); -+ left_len -= token_len; -+ parsed_len += token_len; - } - - /* parse only WPA vendor IE from tail, WMM IE is configured by -@@ -381,15 +392,17 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, - WLAN_OUI_TYPE_MICROSOFT_WPA, - info->tail, info->tail_len); - if (vendorhdr) { -- memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, -- vendorhdr->len + sizeof(struct ieee_types_header)); -- ie_len += vendorhdr->len + sizeof(struct ieee_types_header); -+ token_len = vendorhdr->len + sizeof(struct ieee_types_header); -+ if (ie_len + token_len > IEEE_MAX_IE_SIZE) { -+ err = -EINVAL; -+ goto out; -+ } -+ memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, token_len); -+ ie_len += token_len; - } - -- if (!ie_len) { -- kfree(gen_ie); -- return 0; -- } -+ if (!ie_len) -+ goto out; - - gen_ie->ie_index = cpu_to_le16(gen_idx); - gen_ie->mgmt_subtype_mask = cpu_to_le16(MGMT_MASK_BEACON | -@@ -399,13 +412,15 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, - - if (mwifiex_update_uap_custom_ie(priv, gen_ie, &gen_idx, NULL, NULL, - NULL, NULL)) { -- kfree(gen_ie); -- return -1; -+ err = -EINVAL; -+ goto out; - } - - priv->gen_idx = gen_idx; -+ -+ out: - kfree(gen_ie); -- return 0; -+ return err; - } - - /* This function parses different IEs-head & tail IEs, beacon IEs, |