Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2426441ybi; Sun, 9 Jun 2019 11:29:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqzUmp04LUl+t67Jahx87pZe7/njRySY6X3yz0wNRYZ1CLx258fosT070K6Irx6JDOJ1dFU2 X-Received: by 2002:a17:902:d717:: with SMTP id w23mr23774001ply.275.1560104973503; Sun, 09 Jun 2019 11:29:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560104973; cv=none; d=google.com; s=arc-20160816; b=YkqqWAYOWNvSZKIG+kwzE+X5Bh8rDpY318TKgKSK6RR06S/AGD+yZUOZq6UBruEdjJ W4B+/aJyr+XPAIgkZnAPFLAd/qeMLE/xhAti3SraouWb9l5vFvcVlZAbeY+A5hp8GDzg DCn1fAbi/EKQhHtMtdXWP2Zuu1Xh3kvT39ev7iciMZowaP0khOjnotAEIMrf0DR7E4Ne QUN1BKROH4WLDUbeg8glcLim20yFj0SyljhgmTVqmIrU+yedyUTPdeIIZvMxd/3NakId C0MAonublYQpsw9g1bzbmi6a98cSZvVdP7ZU5ZfonU0Qlwk+xYTY1YSuSL5jXD3nAuuK ipCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=vyHgTmzUd02/XtHN0+EAKjAocbNQTp3BX9xNtjfMCo4=; b=BGenL0VbulsndF0xsp09ZMF3WvkTbYcQDEDizAifYjDJuyrfJmHOGEg5KFsi6n8Z7r ixMtIhVMk2wKtWm2w0XXUy8H0cbCNUB/Fy1HlUCtqtNp6eFoR1L1gvBAxd4/nmNLaeF0 n2sFxueFq26ewwathGE90FWYDS8Y7Qg5uFcAE5NPFqy+9A4cvn86FN+Y8Lndcj7JMr3q 9a9TSidnuewBIK5GWQl+AK1Zxm8UokcvLfda0iaMXd4LqxTMehybJhGN4C6TaJLBOWCA Z0e2VCqbYi1064VL2iEdS6QMbAL3YHvU19CmU98mqhNLGzSymYBNrbTISxFsMyLJ4rPq W+NA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kXLDe+gA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bj12si1197604plb.378.2019.06.09.11.29.17; Sun, 09 Jun 2019 11:29:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kXLDe+gA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388886AbfFIRIF (ORCPT + 99 others); Sun, 9 Jun 2019 13:08:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:45160 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388896AbfFIRFr (ORCPT ); Sun, 9 Jun 2019 13:05:47 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 681E0206C3; Sun, 9 Jun 2019 17:05:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560099946; bh=XONFkhvklEDy0qBqvx2NkPgKJUQtzHBtKYVtk9U+114=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kXLDe+gApzvVDumsm5AC7vdmHRoCtfSaOSx9am/Mmz2uKD6bM8f+vltNpicud4IBw BjKfPYdPytg4yCJ8IECrka0EVPkj3AFq03N5lRtNd3UIwQV+TPCHCITWrE8WaW6KV8 C+va24BX8DQU0MTdqabONDFTuqU3YHiCTpUp0b+4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hante Meuleman , Pieter-Paul Giesberts , Franky Lin , Arend van Spriel , Kalle Valo , Ben Hutchings Subject: [PATCH 4.4 222/241] brcmfmac: add length checks in scheduled scan result handler Date: Sun, 9 Jun 2019 18:42:44 +0200 Message-Id: <20190609164155.095136210@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190609164147.729157653@linuxfoundation.org> References: <20190609164147.729157653@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Arend Van Spriel commit 4835f37e3bafc138f8bfa3cbed2920dd56fed283 upstream. Assure the event data buffer is long enough to hold the array of netinfo items and that SSID length does not exceed the maximum of 32 characters as per 802.11 spec. Reviewed-by: Hante Meuleman Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Franky Lin Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo [bwh: Backported to 4.4: - Move the assignment to "data" along with the assignment to "netinfo_start" that depends on it - Adjust filename, context, indentation] Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) --- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c @@ -3328,6 +3328,7 @@ brcmf_notify_sched_scan_results(struct b struct brcmf_pno_scanresults_le *pfn_result; u32 result_count; u32 status; + u32 datalen; brcmf_dbg(SCAN, "Enter\n"); @@ -3354,6 +3355,14 @@ brcmf_notify_sched_scan_results(struct b if (result_count > 0) { int i; + data += sizeof(struct brcmf_pno_scanresults_le); + netinfo_start = (struct brcmf_pno_net_info_le *)data; + datalen = e->datalen - ((void *)netinfo_start - (void *)pfn_result); + if (datalen < result_count * sizeof(*netinfo)) { + brcmf_err("insufficient event data\n"); + goto out_err; + } + request = kzalloc(sizeof(*request), GFP_KERNEL); ssid = kcalloc(result_count, sizeof(*ssid), GFP_KERNEL); channel = kcalloc(result_count, sizeof(*channel), GFP_KERNEL); @@ -3363,9 +3372,6 @@ brcmf_notify_sched_scan_results(struct b } request->wiphy = wiphy; - data += sizeof(struct brcmf_pno_scanresults_le); - netinfo_start = (struct brcmf_pno_net_info_le *)data; - for (i = 0; i < result_count; i++) { netinfo = &netinfo_start[i]; if (!netinfo) { @@ -3375,6 +3381,8 @@ brcmf_notify_sched_scan_results(struct b goto out_err; } + if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN) + netinfo->SSID_len = IEEE80211_MAX_SSID_LEN; brcmf_dbg(SCAN, "SSID:%s Channel:%d\n", netinfo->SSID, netinfo->channel); memcpy(ssid[i].ssid, netinfo->SSID, netinfo->SSID_len);