Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp667349ybv; Thu, 13 Feb 2020 07:27:38 -0800 (PST) X-Google-Smtp-Source: APXvYqwGqDdMmAxQqqab0RbgDxik/1kfGAtUivYQbQ9i8Ix8DIosbdBCW5nH5N3jnzuc9Y76l7Pt X-Received: by 2002:a9d:7f11:: with SMTP id j17mr14420648otq.281.1581607658504; Thu, 13 Feb 2020 07:27:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581607658; cv=none; d=google.com; s=arc-20160816; b=oOSpHTITPwOyFBkyIZi3ti//fNLjzDdcR8/4ZoVy4uGW63FNucRfVOaJiSHN7tHWCk +MGLVoRrZfGGc+y2RJJtqMrqNi7Xmho1r98F2xr65A1fxsm2B8XgfAFPLA1QsptVbiCE UVNlbz5PP61z7wirifSascFoLIqDcWSUNJD9DFYCvD40Q/WAES51977WkRlqIIhvhDI9 2oy7/nfpolbSm196voA0vj9cT8gurdDWTP2npPMoq3d80qjY1kYXCVWIm9saQALTE/wf vT+CriWZC4rFH2wTfO3vsC8Tv6I2dyB1HKwQKUkr5B0eym3gjE0e1KijcgHClVCKmMTE /VdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pTtIq1SpnWJpipFCDidzmawDOYMjGwWZGHnw5v3kHfg=; b=Cuuq7/DKBVqCa4yYoqgLMHnLJ8BNfyUznYs3NAO7x0/WTsVOMDadFJZqtecErICtD7 Nc5kCaz/jAOaJdFGLdg6HJF0sAyJnYgJ75HmG+MG/271S38Gbt4YdeM2JebAkocB3sBM 1n4YQdaNiAoav18Uf0IYuVkSQsqRaZvCSwDV/yBBBmfB5quBUcvFJdVlruLzKKvN0Yus u2fhDMqKst4C7BvTS8LLREqxPbsdmEs0r9SgHJD9EfHLL2cX++3damAqika8dV8nW1vR 1SrKz1yzGIOiFiDOpiROF0cto/YSOp9HpwS9QBFDO9TFpG4ljDvlnrXqX/q/589tqtRL jMmQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YC7Y4I2r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e17si1340259oti.136.2020.02.13.07.27.25; Thu, 13 Feb 2020 07:27:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YC7Y4I2r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728185AbgBMP0K (ORCPT + 99 others); Thu, 13 Feb 2020 10:26:10 -0500 Received: from mail.kernel.org ([198.145.29.99]:37424 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728676AbgBMPYX (ORCPT ); Thu, 13 Feb 2020 10:24:23 -0500 Received: from localhost (unknown [104.132.1.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AC49C246B8; Thu, 13 Feb 2020 15:24:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581607462; bh=p5Vka3MWRnnxWQWS9554okQybQol3sSg6zPQmh524Rw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YC7Y4I2rxCAJjfmqvlpOlqpWVNh5nW9fDapWGm6Dj/RBGpaPOV0Oxm76m5BR7tAK+ LSNQfugA+K5FcIsLokWjyxan7XB50AVdFEfk4zGOed+iaAjwA+xImewJQvBJwhDnTj fYMaqWGkB42uQ6v56z5/9swR3tu9lkk/1y6T+AQQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qing Xu , Kalle Valo , Sasha Levin Subject: [PATCH 4.9 113/116] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Date: Thu, 13 Feb 2020 07:20:57 -0800 Message-Id: <20200213151925.781939440@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200213151842.259660170@linuxfoundation.org> References: <20200213151842.259660170@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Qing Xu [ Upstream commit 3a9b153c5591548612c3955c9600a98150c81875 ] mwifiex_ret_wmm_get_status() calls memcpy() without checking the destination size.Since the source is given from remote AP which contains illegal wmm elements , this may trigger a heap buffer overflow. Fix it by putting the length check before calling memcpy(). Signed-off-by: Qing Xu Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin --- drivers/net/wireless/marvell/mwifiex/wmm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/wmm.c b/drivers/net/wireless/marvell/mwifiex/wmm.c index 9843560e784fe..c93fcafbcc7a6 100644 --- a/drivers/net/wireless/marvell/mwifiex/wmm.c +++ b/drivers/net/wireless/marvell/mwifiex/wmm.c @@ -980,6 +980,10 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private *priv, "WMM Parameter Set Count: %d\n", wmm_param_ie->qos_info_bitmap & mask); + if (wmm_param_ie->vend_hdr.len + 2 > + sizeof(struct ieee_types_wmm_parameter)) + break; + memcpy((u8 *) &priv->curr_bss_params.bss_descriptor. wmm_ie, wmm_param_ie, wmm_param_ie->vend_hdr.len + 2); -- 2.20.1