Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp851842ybi; Fri, 12 Jul 2019 05:43:01 -0700 (PDT) X-Google-Smtp-Source: APXvYqyXHEwplhNGy2cFJT9dcolLfzcBjtmwvIKFB72aekRIchjbeIEcBvxwOjb2kBE3XbpJzCLU X-Received: by 2002:a17:90a:9a83:: with SMTP id e3mr11324998pjp.105.1562935381311; Fri, 12 Jul 2019 05:43:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562935381; cv=none; d=google.com; s=arc-20160816; b=fPH/2alnkoJk+l3TE4HSM94T+Xb5TgGKdpn10QFHng/udoJPWlEM7Z1mJtpPw3pMnw fkt9ny+yVs1T6uWDwOm64YvFmZ2Y3MlJevbAn6YXoDaK5bTZUO2C6l/1haxhcOnSUmS1 CsGttaJzC67bYDfezHwwlBct+MKgbdwzzwZOVjt0afmPn5trAWzwv0vNKwgwXg2yYCU0 ykX+aDWMAfCxyX2K5+kZQ9wQwRCWWwSMx8IJhP9A/t1BQaIxpI+7dndlrA2oBXZxRq1D FqDf0CZFxWxvn6Fcs0wJyUUH8eE9ac5mW78wPrDTrHP01tR5DBzgke6J8Y+FAJoNdSt5 wakA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=zvdD5Zwe/mFim8wbICnEiTkUmJH3H35oWL/ZOKEJk4g=; b=Zs0mWiF+412/nv/MFvVWZklyycnO88Rq9LOa/WpArp4MBCB+h0kxKy741Q9cRFiYAf Vup3yPjju+qD46sigz0WQel4z720ZHqfz1EFGXNncq4Gf5AQmtYJfpZOfwoxuHVLsikg 3f9mzzIvyUPBza/ArGwXMXMHMZ0W6oT2N2iOjFME9lnJkplvhkasCFBHkvt1GZGCr1Zl g3Ag6I4QMSmBk6L1q17ghYZGo9HcPrMFF0+cBzi6sxhAuDOCiaOwusVkOZUIAWYY/Mls LtEqSMp+whCw4cuu9AbLugll6AUidiEusby4nDQmihGJIP9Jb+cYwoYWKtRHcJmQfWO9 1nYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=b6Gm84SY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ba9si7447859plb.308.2019.07.12.05.42.45; Fri, 12 Jul 2019 05:43:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=b6Gm84SY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727908AbfGLMXV (ORCPT + 99 others); Fri, 12 Jul 2019 08:23:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:58746 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727893AbfGLMXS (ORCPT ); Fri, 12 Jul 2019 08:23:18 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BAC3A208E4; Fri, 12 Jul 2019 12:23:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562934197; bh=kZRQvJw6XKYUVajFClZqugz9tZAzXHs5KCqX0QUsahQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=b6Gm84SYVm2nQGJlrSzAMkseawouedqZfzPzcnmgIsTgWKjIA38OpoXhdwqgGlHvv Krn1/LWVn+UCAWGp0DfxIgY9Prz9MMNqrcr9da7BKjMoPhY/wA5oi+7mqtqeU3ZOek hgOMawrcJl0bwbhlfhEX9PjV7vEtJW80rgeNabk4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai , Kalle Valo Subject: [PATCH 4.19 67/91] mwifiex: Abort at too short BSS descriptor element Date: Fri, 12 Jul 2019 14:19:10 +0200 Message-Id: <20190712121625.432016233@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190712121621.422224300@linuxfoundation.org> References: <20190712121621.422224300@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit 685c9b7750bfacd6fc1db50d86579980593b7869 upstream. Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that the source descriptor entries contain the enough size for each type and performs copying without checking the source size. This may lead to read over boundary. Fix this by putting the source size check in appropriate places. Signed-off-by: Takashi Iwai Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c index 64ab6fe78c0d..c269a0de9413 100644 --- a/drivers/net/wireless/marvell/mwifiex/scan.c +++ b/drivers/net/wireless/marvell/mwifiex/scan.c @@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, break; case WLAN_EID_FH_PARAMS: + if (element_len + 2 < sizeof(*fh_param_set)) + return -EINVAL; fh_param_set = (struct ieee_types_fh_param_set *) current_ptr; memcpy(&bss_entry->phy_param_set.fh_param_set, @@ -1277,6 +1279,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, break; case WLAN_EID_DS_PARAMS: + if (element_len + 2 < sizeof(*ds_param_set)) + return -EINVAL; ds_param_set = (struct ieee_types_ds_param_set *) current_ptr; @@ -1288,6 +1292,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, break; case WLAN_EID_CF_PARAMS: + if (element_len + 2 < sizeof(*cf_param_set)) + return -EINVAL; cf_param_set = (struct ieee_types_cf_param_set *) current_ptr; memcpy(&bss_entry->ss_param_set.cf_param_set, @@ -1296,6 +1302,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, break; case WLAN_EID_IBSS_PARAMS: + if (element_len + 2 < sizeof(*ibss_param_set)) + return -EINVAL; ibss_param_set = (struct ieee_types_ibss_param_set *) current_ptr; @@ -1305,10 +1313,14 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, break; case WLAN_EID_ERP_INFO: + if (!element_len) + return -EINVAL; bss_entry->erp_flags = *(current_ptr + 2); break; case WLAN_EID_PWR_CONSTRAINT: + if (!element_len) + return -EINVAL; bss_entry->local_constraint = *(current_ptr + 2); bss_entry->sensed_11h = true; break; @@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, break; case WLAN_EID_VENDOR_SPECIFIC: + if (element_len + 2 < sizeof(vendor_ie->vend_hdr)) + return -EINVAL; + vendor_ie = (struct ieee_types_vendor_specific *) current_ptr;