Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp441230ybl; Tue, 28 Jan 2020 06:04:17 -0800 (PST) X-Google-Smtp-Source: APXvYqy2a9t0SVR/69dt3KvVNnr6ZFZQbRRCmXNOHF6bJ3BQfNiro5Lc/dTyURiMVf+jWfzVoiDb X-Received: by 2002:aca:2307:: with SMTP id e7mr1018401oie.163.1580220257642; Tue, 28 Jan 2020 06:04:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580220257; cv=none; d=google.com; s=arc-20160816; b=ZuYuR8bSU404cCuE5+JbQ6/yuMGEHcZVUWNpGVm1XNbMVKpy21Gu8BvfS93LUAiPDT N3nS32yx43v/LH+dzfEVLPHKBA50ZBWoF4co9zPMHITW8UW2JWrYFNr9vlaytj/16uq5 3PBdZLwvOKgxpyKbTsQ+sBzdZzSCb4otFItgjpeQyC3kBFf7PzTB0DI8sxDb+pPbYsrO bY2XBmY2fCAMYYuHkE9Xk070vKVQ289U7lf6pKgAXUQvPogoidY4r3agSbbzu5OuI1pr UWkhPRGvSlG2BVqQWmvxwwwa3eYtclmChVAK4Q2d0fCBFCjfLYtnpCIYxzATSG5n9U3v pGyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=m9bXl7pyImznBL3JWqyQQYm3LPd/eId4idOglCwOStI=; b=vdY20JwdWF0nkCS1d+OURiNOXNN4EY3HQ0ZgVF+VgXWU4vsVhRH1czEOMyNNvoqR7k oaHnn1r8Z8l+BNSKcjUI0LHPIB2hh0JdoZb5qAU8LepGhaz+TgjMWjUVCFgdzyviI9i5 T4lxIvimvymk7jfwNvMfvxFLalGA0bXZ5qBA3v5kRkS8KOMO5pMP5VlJyCS1Hkd6mrCq K4enV5EdbRys9iSoBm1m3LOniIlsGkkxsUjln1XfnxlOA4pAKzHQOqDI4yI0212cgcKy PiyclJABxLKZw/HIkAAWvMsIQE4BnIibu9B17yOAWYNKKVBflI2dDgcvXhyU3NEW9u2l uFCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dfKz0wVE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u23si5075370otj.242.2020.01.28.06.03.47; Tue, 28 Jan 2020 06:04:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dfKz0wVE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727319AbgA1OAr (ORCPT + 99 others); Tue, 28 Jan 2020 09:00:47 -0500 Received: from mail.kernel.org ([198.145.29.99]:45244 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727091AbgA1N7p (ORCPT ); Tue, 28 Jan 2020 08:59:45 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AD8082468D; Tue, 28 Jan 2020 13:59:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1580219985; bh=4Frap3mfnAk0X4wDUL7sCIA1V+NeYEp9Pkx5bPfq8GQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dfKz0wVEbnPJkFV0Vr/12u5p0WbLQm+5RplYDETjYS9txF5IsYKu0TZcBnyASW4Zc ETmGjF55HQqCK1AQMhe/6lc+42S4sNWLPwRhYJ120Lsv0cq4oA4VNM7D0ndEF69UKg 905aAKRT63AMRuLOFk471/vegjNpIIcshfmywzWI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, kbuild test robot , Wen Huang , Kalle Valo Subject: [PATCH 4.14 40/46] libertas: Fix two buffer overflows at parsing bss descriptor Date: Tue, 28 Jan 2020 14:58:14 +0100 Message-Id: <20200128135755.016374415@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200128135749.822297911@linuxfoundation.org> References: <20200128135749.822297911@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wen Huang commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream. add_ie_rates() copys rates without checking the length in bss descriptor from remote AP.when victim connects to remote attacker, this may trigger buffer overflow. lbs_ibss_join_existing() copys rates without checking the length in bss descriptor from remote IBSS node.when victim connects to remote attacker, this may trigger buffer overflow. Fix them by putting the length check before performing copy. This fix addresses CVE-2019-14896 and CVE-2019-14897. This also fix build warning of mixed declarations and code. Reported-by: kbuild test robot Signed-off-by: Wen Huang Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/marvell/libertas/cfg.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) --- a/drivers/net/wireless/marvell/libertas/cfg.c +++ b/drivers/net/wireless/marvell/libertas/cfg.c @@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int int hw, ap, ap_max = ie[1]; u8 hw_rate; + if (ap_max > MAX_RATES) { + lbs_deb_assoc("invalid rates\n"); + return tlv; + } /* Advance past IE header */ ie += 2; @@ -1720,6 +1724,9 @@ static int lbs_ibss_join_existing(struct struct cmd_ds_802_11_ad_hoc_join cmd; u8 preamble = RADIO_PREAMBLE_SHORT; int ret = 0; + int hw, i; + u8 rates_max; + u8 *rates; /* TODO: set preamble based on scan result */ ret = lbs_set_radio(priv, preamble, 1); @@ -1778,9 +1785,12 @@ static int lbs_ibss_join_existing(struct if (!rates_eid) { lbs_add_rates(cmd.bss.rates); } else { - int hw, i; - u8 rates_max = rates_eid[1]; - u8 *rates = cmd.bss.rates; + rates_max = rates_eid[1]; + if (rates_max > MAX_RATES) { + lbs_deb_join("invalid rates"); + goto out; + } + rates = cmd.bss.rates; for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { u8 hw_rate = lbs_rates[hw].bitrate / 5; for (i = 0; i < rates_max; i++) {