Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp673168ybv; Thu, 13 Feb 2020 07:32:56 -0800 (PST) X-Google-Smtp-Source: APXvYqwCPwD/B/BCIkPNSVjytYPUmh9HB3VBDDBVfWQDi9xCfv/qC3cpjX3CvF+FncxgvGSKbtB4 X-Received: by 2002:a9d:6418:: with SMTP id h24mr13797292otl.172.1581607976800; Thu, 13 Feb 2020 07:32:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581607976; cv=none; d=google.com; s=arc-20160816; b=b2Mp0YSRNEzbJdrrpraLXetfCXiRzqonKBcMPMzrJzd/vxqMqo4pufBBOuHqIttFft Wrcn6n6Zq7mdG+7smZ2Rkqjt/ejSeak1MIHBlu2Jl9QmwiAZ/sRUMmSSK4c7vuroCa86 zUZPV0Wr7vtPzf0kAeJhBBZt9q3sYNSDBVrHqo1YaZhTmD+SDeTv26mCvA8IxgoC5tVy TPftlSJldko0NY/jVF/8KEjW2HnOt6nLrEGqSMHhKOTKGS7CMmjhvVWKitJ8l5WNCBW4 1yy8jSIOz14wWuVog7aREUGQfiyHKB/XbV1uv2zSFV2o/vBZ+83NRfbBzdyC82ODIhKy B/JA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=aWscuS3A/vANbIKWRLXuTIZKhsH7Qc+t1Qf/z4B5hi8=; b=qA8DacgvC64ibFGQsCawdrePFst+EMWLwSx0woQmt6EwBO/0kT1Xwe8ghJXTuN1ntp H+OVzJ+vjk0C4stM//Q+fnNOpmOVfKhBCwOOseQfUYNOgR2ksH6d5Sn/wIw8m+NcOLkK L60pHHmRUdzxfE50xhRPWBggcw1UozKQ5hXeZFSBn7COpxBJe1MnJkvHRalRky/Sn3z6 WSFQrczefZ8NyADylfkGD57n20meXlXQ/KxoUZQ7pSyVx8jNoAv6QT4dhQeAeclqn1Ps XeES/OeRwJHFFTztA1MYtfnPoJs3oV2wYaOZ5Vqj8FyU8PuHA4pHZH2zKcAfIHFZGUEg fo8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=gzyq6GXv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u132si1320195oie.250.2020.02.13.07.32.43; Thu, 13 Feb 2020 07:32:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=gzyq6GXv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387934AbgBMPba (ORCPT + 99 others); Thu, 13 Feb 2020 10:31:30 -0500 Received: from mail.kernel.org ([198.145.29.99]:53522 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729524AbgBMP16 (ORCPT ); Thu, 13 Feb 2020 10:27:58 -0500 Received: from localhost (unknown [104.132.1.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A0A3A20661; Thu, 13 Feb 2020 15:27:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581607677; bh=XNDD2meNX5BtVFSvRvL9MggIIc57XvcHUhfEtjDcsms=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gzyq6GXvYQsCGg7P21Ak+ICWQ3r0VKHG1XceukkSYpzImWU84TxJvztOQAgXFNQCc HTuPS91MJ6CIQZdlFcqg6vgRhlrwepu51FqbYb9utysxKKYtdqTMPUkVw2CSToKmZX +QuSRgDc7rJUiGwdgUa80xEcds5ARgIyR9Yo37JM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qing Xu , Kalle Valo , Sasha Levin Subject: [PATCH 5.4 94/96] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Date: Thu, 13 Feb 2020 07:21:41 -0800 Message-Id: <20200213151914.100775833@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200213151839.156309910@linuxfoundation.org> References: <20200213151839.156309910@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Qing Xu [ Upstream commit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d ] mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. Fix it by putting the length check before calling memcpy(). Signed-off-by: Qing Xu Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin --- drivers/net/wireless/marvell/mwifiex/scan.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c index 593c594982cb3..59f0651d148bb 100644 --- a/drivers/net/wireless/marvell/mwifiex/scan.c +++ b/drivers/net/wireless/marvell/mwifiex/scan.c @@ -2886,6 +2886,13 @@ mwifiex_cmd_append_vsie_tlv(struct mwifiex_private *priv, vs_param_set->header.len = cpu_to_le16((((u16) priv->vs_ie[id].ie[1]) & 0x00FF) + 2); + if (le16_to_cpu(vs_param_set->header.len) > + MWIFIEX_MAX_VSIE_LEN) { + mwifiex_dbg(priv->adapter, ERROR, + "Invalid param length!\n"); + break; + } + memcpy(vs_param_set->ie, priv->vs_ie[id].ie, le16_to_cpu(vs_param_set->header.len)); *buffer += le16_to_cpu(vs_param_set->header.len) + -- 2.20.1