Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1698027ybi; Wed, 17 Jul 2019 20:19:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqw8I65EssTFOZHcYMR9fgJLTdN5Sg16r+4lJ1oamobJ9r2yZ6AoFXRCkPE6qnGXWLPXW3KJ X-Received: by 2002:a65:6546:: with SMTP id a6mr35971042pgw.220.1563419993981; Wed, 17 Jul 2019 20:19:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563419993; cv=none; d=google.com; s=arc-20160816; b=Nap8l3gV8ewDskrTOOOSmuDB2oAgzbmgxId00Q/z14sr+ra3uZ99T3ORWVpPrfKHBb M/dPJPokJSp8e1W3wO2sRoFmq6At94f5nYQuxn57ILmRLp4LxXq3BGJYllv0RZflmJSB hgbCFdj7WzfxiNHXCr24+ptbbS+x5sdkvxPTdb8CXwZ1rwdwk7m1ue9ejLeDzKC6Z3BG nhLgf6qPIxNuM2TTUjqMWA+tawpRzC1DNwSXnfPeha7ICONObWY3NXQ/Z6FNpsvedVA7 pkQoO4Rmq2SKExN2c26HAYyn1daKr+g5/GUTz/RoJuVwrFKli4QF/rqlk7O1uJq+p4bj Ys1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=NHydmC992N8OxqFMzmFJIArWe1uHeI6vF+KIHdFMn6M=; b=0U2YJX4m7krMt6b3J+XgwsXOfL93ci+iNT1GXmox4ww0+5VulpdEt60JX5DmufC80l m3OhIVAt5H8yVHerfYtU2PlfXG9xTtxhjidsXs/zHPjfEHC/8GwY4l9HKvSDsYjQRdcb zII82RUsXWr+FcKREBE433gsTwsDjKacdLPGLziNnd2CFuHJ0G15g4KO1h/lhRlPGrcj skTG+Zi1Hnv25nn6CTJp72hbSGZG8GTPQvrEiT22sLbbaoLO3oenXoKn/wkb4Ome+eR0 yJ3JCRVxA+OY2IS2/6+yv8i0wVoTJenVJzN63NcvMPhVgBeOvp7mWtFELbjZpjZ/KarY aiOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=q5X6yTy9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m11si28372725pfa.0.2019.07.17.20.19.38; Wed, 17 Jul 2019 20:19:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=q5X6yTy9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391841AbfGRDRU (ORCPT + 99 others); Wed, 17 Jul 2019 23:17:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:50720 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391844AbfGRDOg (ORCPT ); Wed, 17 Jul 2019 23:14:36 -0400 Received: from localhost (115.42.148.210.bf.2iij.net [210.148.42.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6D00E21872; Thu, 18 Jul 2019 03:14:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1563419675; bh=7Xy0/I7Sujlv6TRxVs2wtZqeYcorXQQ+qBc52jq8EPw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=q5X6yTy9xtFGtHghhYSvs9PgpgSMn6ASEQMgKvGHTmYDlSp6mqX+hDyEgIZLzeotY f1f1cwOMkvyHtDq0yDRgT7ce3LY9HtLHcJ+kFEGnqy/rJfX1tE6gc8K67DNpiGo9rJ 9HrsegOVxYopO6oJNDgJICvDkCerK4va3m0zD+ew= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, huangwen , Takashi Iwai , Kalle Valo Subject: [PATCH 4.4 16/40] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() Date: Thu, 18 Jul 2019 12:02:12 +0900 Message-Id: <20190718030044.173010604@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190718030039.676518610@linuxfoundation.org> References: <20190718030039.676518610@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit 69ae4f6aac1578575126319d3f55550e7e440449 upstream. A few places in mwifiex_uap_parse_tail_ies() perform memcpy() unconditionally, which may lead to either buffer overflow or read over boundary. This patch addresses the issues by checking the read size and the destination size at each place more properly. Along with the fixes, the patch cleans up the code slightly by introducing a temporary variable for the token size, and unifies the error path with the standard goto statement. Reported-by: huangwen Signed-off-by: Takashi Iwai Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/mwifiex/ie.c | 45 +++++++++++++++++++++++++------------- 1 file changed, 30 insertions(+), 15 deletions(-) --- a/drivers/net/wireless/mwifiex/ie.c +++ b/drivers/net/wireless/mwifiex/ie.c @@ -328,6 +328,8 @@ static int mwifiex_uap_parse_tail_ies(st struct ieee80211_vendor_ie *vendorhdr; u16 gen_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0; int left_len, parsed_len = 0; + unsigned int token_len; + int err = 0; if (!info->tail || !info->tail_len) return 0; @@ -343,6 +345,12 @@ static int mwifiex_uap_parse_tail_ies(st */ while (left_len > sizeof(struct ieee_types_header)) { hdr = (void *)(info->tail + parsed_len); + token_len = hdr->len + sizeof(struct ieee_types_header); + if (token_len > left_len) { + err = -EINVAL; + goto out; + } + switch (hdr->element_id) { case WLAN_EID_SSID: case WLAN_EID_SUPP_RATES: @@ -356,13 +364,16 @@ static int mwifiex_uap_parse_tail_ies(st case WLAN_EID_VENDOR_SPECIFIC: break; default: - memcpy(gen_ie->ie_buffer + ie_len, hdr, - hdr->len + sizeof(struct ieee_types_header)); - ie_len += hdr->len + sizeof(struct ieee_types_header); + if (ie_len + token_len > IEEE_MAX_IE_SIZE) { + err = -EINVAL; + goto out; + } + memcpy(gen_ie->ie_buffer + ie_len, hdr, token_len); + ie_len += token_len; break; } - left_len -= hdr->len + sizeof(struct ieee_types_header); - parsed_len += hdr->len + sizeof(struct ieee_types_header); + left_len -= token_len; + parsed_len += token_len; } /* parse only WPA vendor IE from tail, WMM IE is configured by @@ -372,15 +383,17 @@ static int mwifiex_uap_parse_tail_ies(st WLAN_OUI_TYPE_MICROSOFT_WPA, info->tail, info->tail_len); if (vendorhdr) { - memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, - vendorhdr->len + sizeof(struct ieee_types_header)); - ie_len += vendorhdr->len + sizeof(struct ieee_types_header); + token_len = vendorhdr->len + sizeof(struct ieee_types_header); + if (ie_len + token_len > IEEE_MAX_IE_SIZE) { + err = -EINVAL; + goto out; + } + memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, token_len); + ie_len += token_len; } - if (!ie_len) { - kfree(gen_ie); - return 0; - } + if (!ie_len) + goto out; gen_ie->ie_index = cpu_to_le16(gen_idx); gen_ie->mgmt_subtype_mask = cpu_to_le16(MGMT_MASK_BEACON | @@ -390,13 +403,15 @@ static int mwifiex_uap_parse_tail_ies(st if (mwifiex_update_uap_custom_ie(priv, gen_ie, &gen_idx, NULL, NULL, NULL, NULL)) { - kfree(gen_ie); - return -1; + err = -EINVAL; + goto out; } priv->gen_idx = gen_idx; + + out: kfree(gen_ie); - return 0; + return err; } /* This function parses different IEs-head & tail IEs, beacon IEs,