Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp851842ybi;
        Fri, 12 Jul 2019 05:43:01 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyXHEwplhNGy2cFJT9dcolLfzcBjtmwvIKFB72aekRIchjbeIEcBvxwOjb2kBE3XbpJzCLU
X-Received: by 2002:a17:90a:9a83:: with SMTP id e3mr11324998pjp.105.1562935381311;
        Fri, 12 Jul 2019 05:43:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1562935381; cv=none;
        d=google.com; s=arc-20160816;
        b=fPH/2alnkoJk+l3TE4HSM94T+Xb5TgGKdpn10QFHng/udoJPWlEM7Z1mJtpPw3pMnw
         fkt9ny+yVs1T6uWDwOm64YvFmZ2Y3MlJevbAn6YXoDaK5bTZUO2C6l/1haxhcOnSUmS1
         CsGttaJzC67bYDfezHwwlBct+MKgbdwzzwZOVjt0afmPn5trAWzwv0vNKwgwXg2yYCU0
         ykX+aDWMAfCxyX2K5+kZQ9wQwRCWWwSMx8IJhP9A/t1BQaIxpI+7dndlrA2oBXZxRq1D
         FqDf0CZFxWxvn6Fcs0wJyUUH8eE9ac5mW78wPrDTrHP01tR5DBzgke6J8Y+FAJoNdSt5
         wakA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=zvdD5Zwe/mFim8wbICnEiTkUmJH3H35oWL/ZOKEJk4g=;
        b=Zs0mWiF+412/nv/MFvVWZklyycnO88Rq9LOa/WpArp4MBCB+h0kxKy741Q9cRFiYAf
         Vup3yPjju+qD46sigz0WQel4z720ZHqfz1EFGXNncq4Gf5AQmtYJfpZOfwoxuHVLsikg
         3f9mzzIvyUPBza/ArGwXMXMHMZ0W6oT2N2iOjFME9lnJkplvhkasCFBHkvt1GZGCr1Zl
         g3Ag6I4QMSmBk6L1q17ghYZGo9HcPrMFF0+cBzi6sxhAuDOCiaOwusVkOZUIAWYY/Mls
         LtEqSMp+whCw4cuu9AbLugll6AUidiEusby4nDQmihGJIP9Jb+cYwoYWKtRHcJmQfWO9
         1nYw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=b6Gm84SY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id ba9si7447859plb.308.2019.07.12.05.42.45;
        Fri, 12 Jul 2019 05:43:01 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=b6Gm84SY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727908AbfGLMXV (ORCPT <rfc822;daisukeokaopensource@gmail.com>
        + 99 others); Fri, 12 Jul 2019 08:23:21 -0400
Received: from mail.kernel.org ([198.145.29.99]:58746 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727893AbfGLMXS (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 12 Jul 2019 08:23:18 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id BAC3A208E4;
        Fri, 12 Jul 2019 12:23:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1562934197;
        bh=kZRQvJw6XKYUVajFClZqugz9tZAzXHs5KCqX0QUsahQ=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=b6Gm84SYVm2nQGJlrSzAMkseawouedqZfzPzcnmgIsTgWKjIA38OpoXhdwqgGlHvv
         Krn1/LWVn+UCAWGp0DfxIgY9Prz9MMNqrcr9da7BKjMoPhY/wA5oi+7mqtqeU3ZOek
         hgOMawrcJl0bwbhlfhEX9PjV7vEtJW80rgeNabk4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Takashi Iwai <tiwai@suse.de>,
        Kalle Valo <kvalo@codeaurora.org>
Subject: [PATCH 4.19 67/91] mwifiex: Abort at too short BSS descriptor element
Date:   Fri, 12 Jul 2019 14:19:10 +0200
Message-Id: <20190712121625.432016233@linuxfoundation.org>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190712121621.422224300@linuxfoundation.org>
References: <20190712121621.422224300@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Takashi Iwai <tiwai@suse.de>

commit 685c9b7750bfacd6fc1db50d86579980593b7869 upstream.

Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that
the source descriptor entries contain the enough size for each type
and performs copying without checking the source size.  This may lead
to read over boundary.

Fix this by putting the source size check in appropriate places.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
index 64ab6fe78c0d..c269a0de9413 100644
--- a/drivers/net/wireless/marvell/mwifiex/scan.c
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
@@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
 			break;
 
 		case WLAN_EID_FH_PARAMS:
+			if (element_len + 2 < sizeof(*fh_param_set))
+				return -EINVAL;
 			fh_param_set =
 				(struct ieee_types_fh_param_set *) current_ptr;
 			memcpy(&bss_entry->phy_param_set.fh_param_set,
@@ -1277,6 +1279,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
 			break;
 
 		case WLAN_EID_DS_PARAMS:
+			if (element_len + 2 < sizeof(*ds_param_set))
+				return -EINVAL;
 			ds_param_set =
 				(struct ieee_types_ds_param_set *) current_ptr;
 
@@ -1288,6 +1292,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
 			break;
 
 		case WLAN_EID_CF_PARAMS:
+			if (element_len + 2 < sizeof(*cf_param_set))
+				return -EINVAL;
 			cf_param_set =
 				(struct ieee_types_cf_param_set *) current_ptr;
 			memcpy(&bss_entry->ss_param_set.cf_param_set,
@@ -1296,6 +1302,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
 			break;
 
 		case WLAN_EID_IBSS_PARAMS:
+			if (element_len + 2 < sizeof(*ibss_param_set))
+				return -EINVAL;
 			ibss_param_set =
 				(struct ieee_types_ibss_param_set *)
 				current_ptr;
@@ -1305,10 +1313,14 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
 			break;
 
 		case WLAN_EID_ERP_INFO:
+			if (!element_len)
+				return -EINVAL;
 			bss_entry->erp_flags = *(current_ptr + 2);
 			break;
 
 		case WLAN_EID_PWR_CONSTRAINT:
+			if (!element_len)
+				return -EINVAL;
 			bss_entry->local_constraint = *(current_ptr + 2);
 			bss_entry->sensed_11h = true;
 			break;
@@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
 			break;
 
 		case WLAN_EID_VENDOR_SPECIFIC:
+			if (element_len + 2 < sizeof(vendor_ie->vend_hdr))
+				return -EINVAL;
+
 			vendor_ie = (struct ieee_types_vendor_specific *)
 					current_ptr;