Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp847259ybi; Fri, 12 Jul 2019 05:38:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqwtIwnW0DvNT8RnKWCJCSxq6c/F4OL5POdpX9fHZerr4VBo2L8pS3RpMdf6Y0FTQOtcjHYs X-Received: by 2002:a17:902:543:: with SMTP id 61mr11288377plf.20.1562935101168; Fri, 12 Jul 2019 05:38:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562935101; cv=none; d=google.com; s=arc-20160816; b=Ih7Y83UglAKymh41neaa+i3s492hO/yBWR5PEgQbRb1642ISmXsY/YgZeqtGrybAZk a2tCcgw37ok3qVPRPgOS0dD9enJNsmPMT6QLrz6UTZhj0fSnnmJmFlr9dgLXW4XTelh6 L9m/veftQ9ZOZMJWOURvTllbYQ3Vhkbignm5zjTt88Ha8gvnI5/eGeGBCgd7oQJLGsZV td7uRfcyHRhmaCWMouirnPbtaoJWIckACNWq7/nLhuYws4/BI3FxC43syMFewAH/oS10 UlVrTJg2YvPIh4o0qVeAEz5GMKpxRgO0+yIzxouXIuKnWh/w3JSUwi3qwUef6ZcFN3P7 rMOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=5QL0jtZXgRMVYs6mjOjPxSlybEmOM6ZOSC21UTKTzfc=; b=YsuPYEXLdtZ2TL7kgSX1PgWbX2+EBKJazONXCNL4tqaWhQGVLbNBdtC/x9UAsD7OuI QKAggiygjtkwoPeAMNzPliMmSkvwBsZ9KxEpkQCQ1gF8H+8m5n0lhrK0G6WMrwk58IoE bJC9Qd6KOPh0uWWDj6i73H9Uosuf88wret48vhdA66CiN4OVIBTff1niebLsLM6gijvK XzGv+w2CK77FKXFkQNMrnqnJ+54GIz/5Qlb/qZfofCPYn5mcFmlf6UsS7rmtBeQiAyhR X8CZ+xdXKBw95qSPBNqcloFANJmG9AWrRuUaNWlkzo1U4aAQzJZoQIebuFm/cQc2ZKHQ GkOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SCdjoqnD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m63si8309646pjb.8.2019.07.12.05.38.06; Fri, 12 Jul 2019 05:38:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SCdjoqnD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729271AbfGLMcu (ORCPT + 99 others); Fri, 12 Jul 2019 08:32:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:51130 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727613AbfGLMcp (ORCPT ); Fri, 12 Jul 2019 08:32:45 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BCB922166E; Fri, 12 Jul 2019 12:32:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562934764; bh=Z6VkdeKrpVIqK7Z0F2De/eKSsoc/56RftiXPYgzJr24=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SCdjoqnDdda3U+/PUMJFw1wL0+gZMUvE1Xv1miWaakI8AhhWrGVstN0pX6xOwzd91 XVbxF3fLqRnB2W2jiu2tvgEBwm8YygM3TXw5Kl0ENobbuLkhLlZKWHeiG0Zms21NHc pk02HECKHZR7Z3Zvu/dqK0oGFDQZ/eZ1w3ir7Wec= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai , Brian Norris , Kalle Valo Subject: [PATCH 5.2 23/61] mwifiex: Dont abort on small, spec-compliant vendor IEs Date: Fri, 12 Jul 2019 14:19:36 +0200 Message-Id: <20190712121621.887990699@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190712121620.632595223@linuxfoundation.org> References: <20190712121620.632595223@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Brian Norris commit 63d7ef36103d26f20325a921ecc96a3288560146 upstream. Per the 802.11 specification, vendor IEs are (at minimum) only required to contain an OUI. A type field is also included in ieee80211.h (struct ieee80211_vendor_ie) but doesn't appear in the specification. The remaining fields (subtype, version) are a convention used in WMM headers. Thus, we should not reject vendor-specific IEs that have only the minimum length (3 bytes) -- we should skip over them (since we only want to match longer IEs, that match either WMM or WPA formats). We can reject elements that don't have the minimum-required 3 byte OUI. While we're at it, move the non-standard subtype and version fields into the WMM structs, to avoid this confusion in the future about generic "vendor header" attributes. Fixes: 685c9b7750bf ("mwifiex: Abort at too short BSS descriptor element") Cc: Takashi Iwai Signed-off-by: Brian Norris Reviewed-by: Takashi Iwai Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/marvell/mwifiex/fw.h | 12 +++++++++--- drivers/net/wireless/marvell/mwifiex/scan.c | 18 +++++++++++------- drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 4 ++-- drivers/net/wireless/marvell/mwifiex/wmm.c | 2 +- 4 files changed, 23 insertions(+), 13 deletions(-) --- a/drivers/net/wireless/marvell/mwifiex/fw.h +++ b/drivers/net/wireless/marvell/mwifiex/fw.h @@ -1759,9 +1759,10 @@ struct mwifiex_ie_types_wmm_queue_status struct ieee_types_vendor_header { u8 element_id; u8 len; - u8 oui[4]; /* 0~2: oui, 3: oui_type */ - u8 oui_subtype; - u8 version; + struct { + u8 oui[3]; + u8 oui_type; + } __packed oui; } __packed; struct ieee_types_wmm_parameter { @@ -1775,6 +1776,9 @@ struct ieee_types_wmm_parameter { * Version [1] */ struct ieee_types_vendor_header vend_hdr; + u8 oui_subtype; + u8 version; + u8 qos_info_bitmap; u8 reserved; struct ieee_types_wmm_ac_parameters ac_params[IEEE80211_NUM_ACS]; @@ -1792,6 +1796,8 @@ struct ieee_types_wmm_info { * Version [1] */ struct ieee_types_vendor_header vend_hdr; + u8 oui_subtype; + u8 version; u8 qos_info_bitmap; } __packed; --- a/drivers/net/wireless/marvell/mwifiex/scan.c +++ b/drivers/net/wireless/marvell/mwifiex/scan.c @@ -1361,21 +1361,25 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_VENDOR_SPECIFIC: - if (element_len + 2 < sizeof(vendor_ie->vend_hdr)) - return -EINVAL; - vendor_ie = (struct ieee_types_vendor_specific *) current_ptr; - if (!memcmp - (vendor_ie->vend_hdr.oui, wpa_oui, - sizeof(wpa_oui))) { + /* 802.11 requires at least 3-byte OUI. */ + if (element_len < sizeof(vendor_ie->vend_hdr.oui.oui)) + return -EINVAL; + + /* Not long enough for a match? Skip it. */ + if (element_len < sizeof(wpa_oui)) + break; + + if (!memcmp(&vendor_ie->vend_hdr.oui, wpa_oui, + sizeof(wpa_oui))) { bss_entry->bcn_wpa_ie = (struct ieee_types_vendor_specific *) current_ptr; bss_entry->wpa_offset = (u16) (current_ptr - bss_entry->beacon_buf); - } else if (!memcmp(vendor_ie->vend_hdr.oui, wmm_oui, + } else if (!memcmp(&vendor_ie->vend_hdr.oui, wmm_oui, sizeof(wmm_oui))) { if (total_ie_len == sizeof(struct ieee_types_wmm_parameter) || --- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c +++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c @@ -1351,7 +1351,7 @@ mwifiex_set_gen_ie_helper(struct mwifiex /* Test to see if it is a WPA IE, if not, then * it is a gen IE */ - if (!memcmp(pvendor_ie->oui, wpa_oui, + if (!memcmp(&pvendor_ie->oui, wpa_oui, sizeof(wpa_oui))) { /* IE is a WPA/WPA2 IE so call set_wpa function */ @@ -1361,7 +1361,7 @@ mwifiex_set_gen_ie_helper(struct mwifiex goto next_ie; } - if (!memcmp(pvendor_ie->oui, wps_oui, + if (!memcmp(&pvendor_ie->oui, wps_oui, sizeof(wps_oui))) { /* Test to see if it is a WPS IE, * if so, enable wps session flag --- a/drivers/net/wireless/marvell/mwifiex/wmm.c +++ b/drivers/net/wireless/marvell/mwifiex/wmm.c @@ -240,7 +240,7 @@ mwifiex_wmm_setup_queue_priorities(struc mwifiex_dbg(priv->adapter, INFO, "info: WMM Parameter IE: version=%d,\t" "qos_info Parameter Set Count=%d, Reserved=%#x\n", - wmm_ie->vend_hdr.version, wmm_ie->qos_info_bitmap & + wmm_ie->version, wmm_ie->qos_info_bitmap & IEEE80211_WMM_IE_AP_QOSINFO_PARAM_SET_CNT_MASK, wmm_ie->reserved);