Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp1932054ybv; Fri, 14 Feb 2020 08:26:42 -0800 (PST) X-Google-Smtp-Source: APXvYqy/T+fqE2gqDhtt7t2+NoXHBFuX7vX/VYKt02UuKBZabsDRQ8nWW3N306cCknzZLPxasRSE X-Received: by 2002:a9d:6c9a:: with SMTP id c26mr2835136otr.279.1581697602403; Fri, 14 Feb 2020 08:26:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581697602; cv=none; d=google.com; s=arc-20160816; b=JHgkw5RFfqBuJCq9+plbukQFulnNWQIvbwBYXL7z3Q/gzHNwedwKxizCui+E1es9rZ XXKq+WaIDGKt4BUSpM2nuiCYIzR20vMXVLIvxZsRP46bW29u7Gj5ZzxL2oilIqSp8MIv QafC5ElIPsN1/BFu6GmY8EGpJdMFgiCwsqBrOed7l6p1/HG1ZzB/p4X1w6E+W+GIzxfA GraEQAY4bjth0FxNr+QBj7KBoX5xV0+gk8qSP17t9RN/LUPU3/fjzjgsqDoST2Tm5pN3 h9Sm/bTHh+cEwVVBZ/4UgAFIZpMSySNXVz/Pib5AzAsi6PKjHQm+mkO7j6hpaGqTLVaY lGGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=B+ZTJQ6+cUYtZxLQ3I7FdSmVnjzTmasla3+2RpYPm3Q=; b=0DqhPJkTZhzRO5Xa70y2A0mgVONjw4gBtEDcp5utbApGpIkuFLaAVkTi61tRmhw8De D6jZ7sYQ2AnjAot4VM3CSKmSme6VpGjVQwdOw2mLDREN7q68FmkJ5aSozoLDPyd6KaI3 WX+enkzMrn8WhqmThaetVjbkHxcUrOPsnS5lqsI2Cj616ukg+W8TdoSSbLRHw38Bm2RK oc+qemKAZN0P9wzdDt9TCMtp9Qz3Z5E8gH4stnA8k4cuf3aME0+xuk/oQi5DRD30h3ZY W3YxEPnMPeXI7x8LQqEKZYnAOs0VYIq6E+Rh+TZhVkNTU9Qs/DdeZDWS0PQZufowlSw9 HoXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=m0p1IFqa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n20si2778932oig.53.2020.02.14.08.26.30; Fri, 14 Feb 2020 08:26:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=m0p1IFqa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2406290AbgBNQ0F (ORCPT + 99 others); Fri, 14 Feb 2020 11:26:05 -0500 Received: from mail.kernel.org ([198.145.29.99]:60552 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405777AbgBNQYA (ORCPT ); Fri, 14 Feb 2020 11:24:00 -0500 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BCCC92478A; Fri, 14 Feb 2020 16:23:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581697439; bh=0QNtSPm+AoXsO2JMqGV5AUqG6/mCDO+xNWdo/XCLGBg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=m0p1IFqa5/JZlvBZ/pd/CBId/XDIyoH9bNWTlSJPgizoK18UnSg3kVpxeqW4FxVZJ D8GGrJaNZFvgrH/Kh5Ahpk0OPer5WZVpqPoeEfNIjZ3DJL0yvNnl6N0wYFajS7xkxc E9lEzLC3wR93BV1Mhq3JCTOAjfwumjP32JAiOF6s= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Qing Xu , Kalle Valo , Sasha Levin , linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.9 125/141] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Date: Fri, 14 Feb 2020 11:21:05 -0500 Message-Id: <20200214162122.19794-125-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200214162122.19794-1-sashal@kernel.org> References: <20200214162122.19794-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Qing Xu [ Upstream commit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d ] mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. Fix it by putting the length check before calling memcpy(). Signed-off-by: Qing Xu Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin --- drivers/net/wireless/marvell/mwifiex/scan.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c index 828c6f5eb83c8..5fde2e2f1fea8 100644 --- a/drivers/net/wireless/marvell/mwifiex/scan.c +++ b/drivers/net/wireless/marvell/mwifiex/scan.c @@ -2878,6 +2878,13 @@ mwifiex_cmd_append_vsie_tlv(struct mwifiex_private *priv, vs_param_set->header.len = cpu_to_le16((((u16) priv->vs_ie[id].ie[1]) & 0x00FF) + 2); + if (le16_to_cpu(vs_param_set->header.len) > + MWIFIEX_MAX_VSIE_LEN) { + mwifiex_dbg(priv->adapter, ERROR, + "Invalid param length!\n"); + break; + } + memcpy(vs_param_set->ie, priv->vs_ie[id].ie, le16_to_cpu(vs_param_set->header.len)); *buffer += le16_to_cpu(vs_param_set->header.len) + -- 2.20.1