Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp457452ybl; Tue, 28 Jan 2020 06:16:53 -0800 (PST) X-Google-Smtp-Source: APXvYqxtVCDFE8eIj1iYJkL8y8x6nQmJOmQMk8SReo9qwPmq0+g4rPRbTvJh/Ulm2ALT1e8V5xu2 X-Received: by 2002:a05:6808:4cc:: with SMTP id a12mr2988088oie.115.1580221013435; Tue, 28 Jan 2020 06:16:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580221013; cv=none; d=google.com; s=arc-20160816; b=kkO5pKT5kr6Q1FR0lLz4CxkTRuhnQZT9hdEoxrPgfRWG68uCqZ/odbGpofLZGvUB6L OcOwNY0dSQa8C4S3BpREysIf9uhLJB5teU+iPkZ+Ho3e55a10UMzjIhneHJ+Zr+BbIPG PKh+b2cFU2LwkdMaQTmLXKSD57GtCB580z2R0eUl5c8HZEoYtq+dT26fg0GzYqQb2ODx nyTe7UPssRPb17rF65ijgLNI8DlvvPvgH7U+zRFjVM8Fn9MU2bb9NxkEnwcjqiliem2M CFiEKU4grIIM1IEeU3tRRSN21SG9JBxwbvfT+h/pwy2hBoP7glgPa+o2vkwQCsA3C5AS IRNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=J/Zpd5tafygK63sVXPZ9h93IqHBS7WKjfWEy7AQX/t8=; b=y4QIfCJZET2VGJaxN5JOU4T76/W39Ah2PBMNi/opJaaVP/drvJvBC1KoPz8TIop5NM 83a8Jq2AdzljFsYg9O/SLLVfMUfFN3t15VvgdMLj6pusZInuqbSWZQzUoCMJHBaX943V iWS22qEz3kq1KDwoAwISVh/d43wO0MnDtv2e7bQ5Ll/fsS6Jix++/jIIOETyf6ay0l+g uMOXTMQCYAEyZ/OmFHU1Pb2yZ+L+lPSZI5moMkjQ0Rhz6GuHzugbMLTTxtbFui8bbcXK Uy5E2LCOUHe15+RKr5k7VfwHRG3/fMpijI+G6trM4L7WZsd1yx96Kg9Mot/lmovR/oln ZX2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hLvFb1dW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o7si8767470otk.185.2020.01.28.06.16.40; Tue, 28 Jan 2020 06:16:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hLvFb1dW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729937AbgA1OOn (ORCPT + 99 others); Tue, 28 Jan 2020 09:14:43 -0500 Received: from mail.kernel.org ([198.145.29.99]:36950 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728183AbgA1OOl (ORCPT ); Tue, 28 Jan 2020 09:14:41 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 131F224693; Tue, 28 Jan 2020 14:14:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1580220880; bh=N0+TqitR6x8SaBnWZM8XYV12zZUenDlfzoRwwjLj6Ag=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hLvFb1dWZ3KEKqdFEexmrL9nIanxNKDHdGOVZi2bImuLT5W32BgqyQpbDXpLZBpLE n8nw90ngzBcHwMCELZLooPLplT52VW0+YSghx22GjF0bcljcsQrwEY55FI/1L15Lv5 3q9JQIh/RBK+xB7yg9kbCsFM/RH2zHp6INeZoybA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, kbuild test robot , Wen Huang , Kalle Valo Subject: [PATCH 4.4 183/183] libertas: Fix two buffer overflows at parsing bss descriptor Date: Tue, 28 Jan 2020 15:06:42 +0100 Message-Id: <20200128135847.988935436@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200128135829.486060649@linuxfoundation.org> References: <20200128135829.486060649@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wen Huang commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream. add_ie_rates() copys rates without checking the length in bss descriptor from remote AP.when victim connects to remote attacker, this may trigger buffer overflow. lbs_ibss_join_existing() copys rates without checking the length in bss descriptor from remote IBSS node.when victim connects to remote attacker, this may trigger buffer overflow. Fix them by putting the length check before performing copy. This fix addresses CVE-2019-14896 and CVE-2019-14897. This also fix build warning of mixed declarations and code. Reported-by: kbuild test robot Signed-off-by: Wen Huang Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/libertas/cfg.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) --- a/drivers/net/wireless/libertas/cfg.c +++ b/drivers/net/wireless/libertas/cfg.c @@ -272,6 +272,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int int hw, ap, ap_max = ie[1]; u8 hw_rate; + if (ap_max > MAX_RATES) { + lbs_deb_assoc("invalid rates\n"); + return tlv; + } /* Advance past IE header */ ie += 2; @@ -1783,6 +1787,9 @@ static int lbs_ibss_join_existing(struct struct cmd_ds_802_11_ad_hoc_join cmd; u8 preamble = RADIO_PREAMBLE_SHORT; int ret = 0; + int hw, i; + u8 rates_max; + u8 *rates; lbs_deb_enter(LBS_DEB_CFG80211); @@ -1843,9 +1850,12 @@ static int lbs_ibss_join_existing(struct if (!rates_eid) { lbs_add_rates(cmd.bss.rates); } else { - int hw, i; - u8 rates_max = rates_eid[1]; - u8 *rates = cmd.bss.rates; + rates_max = rates_eid[1]; + if (rates_max > MAX_RATES) { + lbs_deb_join("invalid rates"); + goto out; + } + rates = cmd.bss.rates; for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { u8 hw_rate = lbs_rates[hw].bitrate / 5; for (i = 0; i < rates_max; i++) {