Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp703393ybv; Thu, 13 Feb 2020 08:03:17 -0800 (PST) X-Google-Smtp-Source: APXvYqwoEoj/SsrpgrbQSTyTif17wH9/ip7J3g7LPgu6nBTgZIX5GlwY1kKcYP+Wq71B/nsb25mF X-Received: by 2002:a9d:7999:: with SMTP id h25mr13833302otm.347.1581609796942; Thu, 13 Feb 2020 08:03:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581609796; cv=none; d=google.com; s=arc-20160816; b=LSxVXM/YZwlesEEOYgHk9DWp7cgj725kL4bRhVxhBHGAQBTG16n3pii4WBykrZND89 r/uWfEFuxuyVNBDfaLqlwkhuANr8OM6+JfXL8RN2hbffpHZFAZLqmA6DgAag5p+9wIOD q50p0Y39lCsoQ90orctOMhtrLAXjlJ3rj5riUQI4bQFgMxkXEkfgAb1GbbQnfXXHk4t+ rZYkVM1tXiK3A5oX4kNx4vIoT1Y8w5i4vKJR6gsECudEzGTezdC5Zus2Xan+ZpRQ1yap gZXSiWiXn40gLzzF7hOA3DFATCdsJMnSFPZGV8wPRXSWA20Fg4fiv14J+PqfTBOl6jK6 Umjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=B+ZTJQ6+cUYtZxLQ3I7FdSmVnjzTmasla3+2RpYPm3Q=; b=zy03N6kNfqyz3QcQ1MaO7U8MFkeXIDTPhB+D+pBr/f/PcDHkiTPLs9XnhU2gy3fdiI DWPf3ZlhhRXO0KVm4d3EsuNkCmez07qCLb2z/Bm2hiF3EsyvYKOGYF/HLYkPrjbmd45z xFrgExfEKk10Gk7uablpIuwaT0/IGbb/FlEcUMIU+DS1QysETSf8hvBHlstxcLj6LvPk n3jheNrrSye/XDyHYpIYJaWn1QU/KAWMga0vqEjw8Lp/fZ74uLgF8wsWYr6H7iyq+4ew iIq1xTVXPCqImKg6ztoeX5ECdBLto8SnH4bixlfAkFFl0oNDCItcdLtfDqE5Snv7+uqJ IXfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oCpFvkTe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s16si1294728otq.253.2020.02.13.08.02.54; Thu, 13 Feb 2020 08:03:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=oCpFvkTe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388279AbgBMQCX (ORCPT + 99 others); Thu, 13 Feb 2020 11:02:23 -0500 Received: from mail.kernel.org ([198.145.29.99]:38148 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727436AbgBMPYb (ORCPT ); Thu, 13 Feb 2020 10:24:31 -0500 Received: from localhost (unknown [104.132.1.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 42E4D246A3; Thu, 13 Feb 2020 15:24:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581607470; bh=0QNtSPm+AoXsO2JMqGV5AUqG6/mCDO+xNWdo/XCLGBg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oCpFvkTeLnKVpsaypN6+jWN86x2Hc3xM51eJEwI3Pi46AGvj1O+pjJ02JC43YUS1x VZZfHfCgX8Zwtse5wydxvhC+uKl1QLpq+Gl27UqLMYvbMVj/mPr8Y7UP0fOOtdFiAI VsXoxcFKROavR5W/Oh7CK/fzI6GFCFzSgZqgXgI4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qing Xu , Kalle Valo , Sasha Levin Subject: [PATCH 4.9 114/116] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Date: Thu, 13 Feb 2020 07:20:58 -0800 Message-Id: <20200213151926.169770541@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200213151842.259660170@linuxfoundation.org> References: <20200213151842.259660170@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Qing Xu [ Upstream commit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d ] mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. Fix it by putting the length check before calling memcpy(). Signed-off-by: Qing Xu Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin --- drivers/net/wireless/marvell/mwifiex/scan.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c index 828c6f5eb83c8..5fde2e2f1fea8 100644 --- a/drivers/net/wireless/marvell/mwifiex/scan.c +++ b/drivers/net/wireless/marvell/mwifiex/scan.c @@ -2878,6 +2878,13 @@ mwifiex_cmd_append_vsie_tlv(struct mwifiex_private *priv, vs_param_set->header.len = cpu_to_le16((((u16) priv->vs_ie[id].ie[1]) & 0x00FF) + 2); + if (le16_to_cpu(vs_param_set->header.len) > + MWIFIEX_MAX_VSIE_LEN) { + mwifiex_dbg(priv->adapter, ERROR, + "Invalid param length!\n"); + break; + } + memcpy(vs_param_set->ie, priv->vs_ie[id].ie, le16_to_cpu(vs_param_set->header.len)); *buffer += le16_to_cpu(vs_param_set->header.len) + -- 2.20.1