Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp470262ybl; Tue, 28 Jan 2020 06:28:23 -0800 (PST) X-Google-Smtp-Source: APXvYqxZdPAa5kj7H9kRCNv+hpYJmbWlQhS5UHmBGfsheVIfLreFIyotpLZAP/mGjoKoslORM/ro X-Received: by 2002:a9d:2c2:: with SMTP id 60mr16617983otl.208.1580221702645; Tue, 28 Jan 2020 06:28:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580221702; cv=none; d=google.com; s=arc-20160816; b=LRefN9xUpUwQhI/87LfhrFi2wt0CvPzzW/JNNrpZzX8L+nS4y3qPD7vI0/t4uWNSmV N66nG9qYzo7sW1lX27Nsgo1baXcIcsglT/S/S7JAe473z+jhkATKKMEHrF4vD1hmxDCe gD0DZo8yFr25lV42wE3g344uLJhXnOvlnF+zFdvO3B7ssKK0516C0svOQlpmMCWQrK8I fuaCOUUTWJW3e1udrZocjnoHWdPW/HZ+AkeFrFERsTKOEB6KO4vyKXJIsNz+54VZVzWu 8LjuAJ44pCnRSZQ/49XDScouQt2bg+r5jEJruvN9SkanYEWQ5INrUmZhSaANpupPLqhc XTOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=NqkWjk1b6NzXu59WwGeFHQeX6RC+G++LWSxUR8k3sG8=; b=arnVogo9GG7qR7WVvKP7vPkZoneO/6dtnssqb2j5zzSgON/WW3wdTioDsiJAPXdA2p 0SFK8V+Ni9A0FZFOUaQZjnx8zNgzRn/wpCFkS5u8CO16Mgk1MsKfbqw7fNDcuGuDLFLn 76yv+b7yeVhP1AmXRncKSM8O6ifL87K1sB4Bo7okqjPC+uw/LEzaenhEtEOXR4ic0lBF FBuH6580izJ1iZ7AzDcRv788dL+4KVStQpWWgbd1ati8G+nDkqTLbzLJWLYkBG8f9TVJ OfNEeNsIUSvT4WPDDroU4LEkBnGtjX4P33EkYH2SaUG24oJh0UPRp/QWohngrocCmJE5 zwnw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zYIogUyw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z14si8515125oth.15.2020.01.28.06.28.10; Tue, 28 Jan 2020 06:28:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zYIogUyw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733167AbgA1O0R (ORCPT + 99 others); Tue, 28 Jan 2020 09:26:17 -0500 Received: from mail.kernel.org ([198.145.29.99]:53650 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732452AbgA1O0Q (ORCPT ); Tue, 28 Jan 2020 09:26:16 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C2D1E24686; Tue, 28 Jan 2020 14:26:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1580221575; bh=y5naaX/jk2tPD3PXMjWnK2jYPzGwF+1sy9ZDxHDE3wE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zYIogUywl2TprQmEodTBIYfethGeF8OHlqLesn+D8Vpv795jTuvjgaXr2p9N0X3hb mdCRrZhSDkqIucLkVTkkqZLjpkBH6bGMibUW6PSevhlOK0E1K+K3BLlbMB1VIyunDf hKeIe5PTDYee30MgrPT9FK1dyVtXfcx5EgbKcAU0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, kbuild test robot , Wen Huang , Kalle Valo Subject: [PATCH 4.9 265/271] libertas: Fix two buffer overflows at parsing bss descriptor Date: Tue, 28 Jan 2020 15:06:54 +0100 Message-Id: <20200128135912.316442577@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200128135852.449088278@linuxfoundation.org> References: <20200128135852.449088278@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wen Huang commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream. add_ie_rates() copys rates without checking the length in bss descriptor from remote AP.when victim connects to remote attacker, this may trigger buffer overflow. lbs_ibss_join_existing() copys rates without checking the length in bss descriptor from remote IBSS node.when victim connects to remote attacker, this may trigger buffer overflow. Fix them by putting the length check before performing copy. This fix addresses CVE-2019-14896 and CVE-2019-14897. This also fix build warning of mixed declarations and code. Reported-by: kbuild test robot Signed-off-by: Wen Huang Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/marvell/libertas/cfg.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) --- a/drivers/net/wireless/marvell/libertas/cfg.c +++ b/drivers/net/wireless/marvell/libertas/cfg.c @@ -272,6 +272,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int int hw, ap, ap_max = ie[1]; u8 hw_rate; + if (ap_max > MAX_RATES) { + lbs_deb_assoc("invalid rates\n"); + return tlv; + } /* Advance past IE header */ ie += 2; @@ -1789,6 +1793,9 @@ static int lbs_ibss_join_existing(struct struct cmd_ds_802_11_ad_hoc_join cmd; u8 preamble = RADIO_PREAMBLE_SHORT; int ret = 0; + int hw, i; + u8 rates_max; + u8 *rates; lbs_deb_enter(LBS_DEB_CFG80211); @@ -1849,9 +1856,12 @@ static int lbs_ibss_join_existing(struct if (!rates_eid) { lbs_add_rates(cmd.bss.rates); } else { - int hw, i; - u8 rates_max = rates_eid[1]; - u8 *rates = cmd.bss.rates; + rates_max = rates_eid[1]; + if (rates_max > MAX_RATES) { + lbs_deb_join("invalid rates"); + goto out; + } + rates = cmd.bss.rates; for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { u8 hw_rate = lbs_rates[hw].bitrate / 5; for (i = 0; i < rates_max; i++) {