Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp851032ybi; Fri, 12 Jul 2019 05:42:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqy8h0zS7DtN6430RjY+VSv6e4vEDXwY2hTl0cKyEWth2axN/vn9SqL3ADjVEETwX0y0d7Sl X-Received: by 2002:a65:6102:: with SMTP id z2mr10518974pgu.391.1562935335089; Fri, 12 Jul 2019 05:42:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562935335; cv=none; d=google.com; s=arc-20160816; b=hTPI/J42Fohxu6RQzcvz/YP12GBYXBYPvoeJjgWafTjLRdstwkFWRqyEuFI0RCft+s dVelATCHgdmGp+Y/uZY7QF0ZzL2cAtsrutxJyHkgS8DNiN0v1dVuayzVO427+M1mcssi NlObDZ+cU84ybwoJKGGvDv8vn0znMLWNZM0NM+riIFpJbrlqIFT07qRzuHNZtANogS+y 9J9F0o/woauIPIyzZrusRW+Li7OjNABEuDZKfNR6T9LRmfT+o6URBiZ+u6DvWFlPAyTZ smEAw7U7hgmP2YeDJ10/zhNztImfU081dC6rJPXDkzlhIsClCT7/KunHqPp3PHGkTiyR O+WQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=abYNiYSlRqFrGyg9Hej2Q4WKHiOd2tB5VO8OoxH6tNA=; b=Vco7v0E2VJ5USU684z0SN/P+OH1BtJYBcCrbhQe4+513nhOnKeW9BuT8h5Ij0sdf+x NPlJFRiutIdi1WJ6oMnLupTXg4/ZxlNlXajjYt5UmUj9UcqlwMHq27VI7Swp3WpLaLjw agR8AAe0W+zlAxsPYqe4qqPICdj3NeJq6GY8krMRqN9ZuZKpAsBZZzikH98OyqSMG6R2 LJEb7KeB/ujRjrX5Y03YQBq67rl8wuH6j0jStwdIiJT7JyuLaP9/fvQ29H4ivoKEKSLG Wu0K4jqTH8x6zUVYDoJzWQHgwoU8VYwOQKQGk6MHy7wYS11Nm4nW13ciWXpAOIhysFsh pgwg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=CUfup2ta; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n13si7497104plp.354.2019.07.12.05.41.59; Fri, 12 Jul 2019 05:42:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=CUfup2ta; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728664AbfGLMjn (ORCPT + 99 others); Fri, 12 Jul 2019 08:39:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:38384 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727334AbfGLM0s (ORCPT ); Fri, 12 Jul 2019 08:26:48 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A66E02084B; Fri, 12 Jul 2019 12:26:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562934407; bh=PNQabgyv3VOnJiq0fbNhX/nvuOY9v4LsybKLuBuLFGo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CUfup2tab2CnwlLxmAjlJWpJLWVZTvbDLFNll/xzTLr0k/PVxWnOYeEMC2cxuC82T 6nyoL5VsytomvJaGqNIX/s/5oatTAnyq7MeuorzN4Ktm9zoZP7OOaZI2a4WSMcVp2j 9WXe2BoFSLGAOB59I2c7ZQHLsuTE7C57DJG0w0ko= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, huangwen , Takashi Iwai , Kalle Valo , Sasha Levin Subject: [PATCH 5.1 028/138] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() Date: Fri, 12 Jul 2019 14:18:12 +0200 Message-Id: <20190712121629.781419565@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190712121628.731888964@linuxfoundation.org> References: <20190712121628.731888964@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 69ae4f6aac1578575126319d3f55550e7e440449 ] A few places in mwifiex_uap_parse_tail_ies() perform memcpy() unconditionally, which may lead to either buffer overflow or read over boundary. This patch addresses the issues by checking the read size and the destination size at each place more properly. Along with the fixes, the patch cleans up the code slightly by introducing a temporary variable for the token size, and unifies the error path with the standard goto statement. Reported-by: huangwen Signed-off-by: Takashi Iwai Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin --- drivers/net/wireless/marvell/mwifiex/ie.c | 47 +++++++++++++++-------- 1 file changed, 31 insertions(+), 16 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/ie.c b/drivers/net/wireless/marvell/mwifiex/ie.c index 6845eb57b39a..653d347a9a19 100644 --- a/drivers/net/wireless/marvell/mwifiex/ie.c +++ b/drivers/net/wireless/marvell/mwifiex/ie.c @@ -329,6 +329,8 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, struct ieee80211_vendor_ie *vendorhdr; u16 gen_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0; int left_len, parsed_len = 0; + unsigned int token_len; + int err = 0; if (!info->tail || !info->tail_len) return 0; @@ -344,6 +346,12 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, */ while (left_len > sizeof(struct ieee_types_header)) { hdr = (void *)(info->tail + parsed_len); + token_len = hdr->len + sizeof(struct ieee_types_header); + if (token_len > left_len) { + err = -EINVAL; + goto out; + } + switch (hdr->element_id) { case WLAN_EID_SSID: case WLAN_EID_SUPP_RATES: @@ -361,17 +369,20 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, if (cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT, WLAN_OUI_TYPE_MICROSOFT_WMM, (const u8 *)hdr, - hdr->len + sizeof(struct ieee_types_header))) + token_len)) break; /* fall through */ default: - memcpy(gen_ie->ie_buffer + ie_len, hdr, - hdr->len + sizeof(struct ieee_types_header)); - ie_len += hdr->len + sizeof(struct ieee_types_header); + if (ie_len + token_len > IEEE_MAX_IE_SIZE) { + err = -EINVAL; + goto out; + } + memcpy(gen_ie->ie_buffer + ie_len, hdr, token_len); + ie_len += token_len; break; } - left_len -= hdr->len + sizeof(struct ieee_types_header); - parsed_len += hdr->len + sizeof(struct ieee_types_header); + left_len -= token_len; + parsed_len += token_len; } /* parse only WPA vendor IE from tail, WMM IE is configured by @@ -381,15 +392,17 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, WLAN_OUI_TYPE_MICROSOFT_WPA, info->tail, info->tail_len); if (vendorhdr) { - memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, - vendorhdr->len + sizeof(struct ieee_types_header)); - ie_len += vendorhdr->len + sizeof(struct ieee_types_header); + token_len = vendorhdr->len + sizeof(struct ieee_types_header); + if (ie_len + token_len > IEEE_MAX_IE_SIZE) { + err = -EINVAL; + goto out; + } + memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, token_len); + ie_len += token_len; } - if (!ie_len) { - kfree(gen_ie); - return 0; - } + if (!ie_len) + goto out; gen_ie->ie_index = cpu_to_le16(gen_idx); gen_ie->mgmt_subtype_mask = cpu_to_le16(MGMT_MASK_BEACON | @@ -399,13 +412,15 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, if (mwifiex_update_uap_custom_ie(priv, gen_ie, &gen_idx, NULL, NULL, NULL, NULL)) { - kfree(gen_ie); - return -1; + err = -EINVAL; + goto out; } priv->gen_idx = gen_idx; + + out: kfree(gen_ie); - return 0; + return err; } /* This function parses different IEs-head & tail IEs, beacon IEs, -- 2.20.1