Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2038482imm;
        Mon, 16 Jul 2018 00:39:03 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpd9bGxWiPar1bH7DA7/MSVKX9zuzmTpR4PlepuyG2sYurewx2Q4/wM3vlz7ZgStYjXBIrFZ
X-Received: by 2002:a62:9c17:: with SMTP id f23-v6mr17067287pfe.209.1531726743109;
        Mon, 16 Jul 2018 00:39:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1531726743; cv=none;
        d=google.com; s=arc-20160816;
        b=O/GsPbFS6DHNTZpE5ptKrGoRlEtZGgYj9MkiqPneLF4/Way+orT1vVwkn/9UOSMSTN
         EPH0pvuVunyFSXd9uFDUoaSUd0y5XmB7O9ym1EliZ7NNwa+715sKwpbFLFdvoQBATRXx
         68JdIK4Xjzb5FrTK7wCY3Zb2eduqwRC97FYmCAbg8HwEa4xX0VI9znn6BcO7Pz0BUTiA
         BUaIJ/wIrjZuNe8Q6uZE2pfZnrrAKANmWhVCCp25N4I4B3b9mEHCh9k/1B2nFkC84e0g
         ppuWXUT/S4Nno+9+LFOVlAb0HKTcQDx1PuIQZDgtMaWGFI6B4jlxYK3vQhD4OuLWhdZH
         Y1mg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=QRW05kL2MwvFXXJhY2CXqPY33WsDUCTRumL3DuBrZto=;
        b=xXdeTSVUhCVDUwRxFJDDq/XwB7/tzeNxpv+BpAeUi5P5x/e6Ow8mA3TQKuJZKjMR+S
         Tr0V5T7mOz1Qk057SyST4rJZy3FQkK+QwW+AnLcwyxrdth9+SZpoRHCmT1gH7Y7SGMsF
         cPz+3YG2IYJGi4d5xmDhkkSraxDqn+7Se435nq3ri8NT9ZT9u0mjSUyVz+w8DIyBpcT+
         Zk5wVwPez/rz3vSCLTe+a9t8jcQ5e6o7DD4fYrecCoPFHTha8giOb1AYzWAeHxPmhd3E
         klk9G/6yvwz4uevc4R1M6g57YVKDPdNrcvLZpyBOIJ1wJzfYWMknNmaBofrDUgZIq+oo
         lLKA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v11-v6si15060148pgo.278.2018.07.16.00.38.48;
        Mon, 16 Jul 2018 00:39:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731637AbeGPIDb (ORCPT <rfc822;jekfish0@gmail.com> + 99 others);
        Mon, 16 Jul 2018 04:03:31 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:46716 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728460AbeGPIDa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 16 Jul 2018 04:03:30 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 460E9C03;
        Mon, 16 Jul 2018 07:37:29 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
        Murray McAllister <murray.mcallister@insomniasec.com>
Subject: [PATCH 4.17 13/67] staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data().
Date:   Mon, 16 Jul 2018 09:34:42 +0200
Message-Id: <20180716073445.113707440@linuxfoundation.org>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180716073443.294323458@linuxfoundation.org>
References: <20180716073443.294323458@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.17-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Murray McAllister <murray.mcallister@insomniasec.com>

commit 920c92448839bd4f8eb87a92b08cad56d449caff upstream.

Dan Carpenter reported an integer underflow issue in the rtl8188eu driver.
This is also needed for the length (signed integer) in rtl8723bs, as it is
later converted to an unsigned integer and used in a memcpy operation.

Original issue is at https://patchwork.kernel.org/patch/9796371/

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/rtl8723bs/core/rtw_ap.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/rtl8723bs/core/rtw_ap.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ap.c
@@ -1059,7 +1059,7 @@ int rtw_check_beacon_data(struct adapter
 		return _FAIL;
 
 
-	if (len > MAX_IE_SZ)
+	if (len < 0 || len > MAX_IE_SZ)
 		return _FAIL;
 
 	pbss_network->IELength = len;