Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2346667ybz;
        Thu, 23 Apr 2020 16:28:08 -0700 (PDT)
X-Google-Smtp-Source: APiQypL98W4HHE47EuqHN+7LzNHdZJL4YnMxWejrJwVJUvFtqNqYBuNF1Zz/6Qt2ZS+ZsEa8JG7W
X-Received: by 2002:a17:906:c9ce:: with SMTP id hk14mr4691662ejb.314.1587684488536;
        Thu, 23 Apr 2020 16:28:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1587684488; cv=none;
        d=google.com; s=arc-20160816;
        b=0XpxUBYdo+NIcJ2kYuKyONQdeu52IfG7UnNHkvCz+njmiS39uiZd1Zk0VfKoKIpn8G
         9uF8wqCN2OQ+tbf1/1tRMR7tNpuNnW6951geXXG0YLShL0IenbgsF8ZMLep7fUeVyXYv
         TRuKjFZTBrO07eh6NoY9JE+fyl75rq0yBKAI5P6RZ9/9ozRPSU/nffOT7OOqWDHmrxPM
         SEi7ytln6N4ufKabhvZTmE6XQ2oNkIwHcq99quG29kkCTvxpP+eHz0kvHifLPIJ2nZDN
         oUUR3nBwdhEIM6dnZSFrmeGe9N7Gzj/N4PKt9ig5DdxfNGfdGHvFiu7mCRKgH4T2JFQX
         3ipQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=9XL3gld4UdjXV/1/r3Dpna8xp0weVVpy8R6RsLRmeJQ=;
        b=NKA6GURw1pvh5QYla+YsV+zN9QS8/qUbk8NYGZp1Uwxr8BEuMk92hoGVd8PppFyG1J
         ujKemXkz2e9jzMYc+V9zFnLov8zY+YOe3CqIXY6fOOx4LTLEQyIJFe4UHTQSCOoLQIt6
         I5I24TVxJke4ktyQcgeVy5xZGclRZQnnHdHm/wCTmOzs8sXjR5hPrCNb50xQYDBy1I4U
         I1s3dsoVFFAMVTUQGa0+b94GelVJBwLEh1AtFRDBToTEgIZpl5J9YxhlkB/RFeiydv7B
         Ixmoz95uwzD7KizGX8s/D6bbeRzIcj6lm9ztDd6Pgfk+WNXAbGja/QKeASB3+CSTxFWD
         mRCw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id qq22si2001728ejb.523.2020.04.23.16.27.45;
        Thu, 23 Apr 2020 16:28:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728828AbgDWXZq (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Thu, 23 Apr 2020 19:25:46 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:48162 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1727928AbgDWXG1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Apr 2020 19:06:27 -0400
Received: from [192.168.4.242] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <ben@decadent.org.uk>)
        id 1jRkvH-0004ZL-U1; Fri, 24 Apr 2020 00:06:24 +0100
Received: from ben by deadeye with local (Exim 4.93)
        (envelope-from <ben@decadent.org.uk>)
        id 1jRkvH-00E6eV-GY; Fri, 24 Apr 2020 00:06:23 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
        "John W. Linville" <linville@tuxdriver.com>,
        "Avinash Patil" <patila@marvell.com>,
        "Dan Carpenter" <dan.carpenter@oracle.com>
Date:   Fri, 24 Apr 2020 00:03:52 +0100
Message-ID: <lsq.1587683028.468970847@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
X-Patchwork-Hint: ignore
Subject: [PATCH 3.16 005/245] mwifiex: fix probable memory corruption
 while processing TDLS frame
In-Reply-To: <lsq.1587683027.831233700@decadent.org.uk>
X-SA-Exim-Connect-IP: 192.168.4.242
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.83-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Avinash Patil <patila@marvell.com>

commit 3c99832d74777c9ec5545a92450fac5d37b0d0e1 upstream.

Size of RSN IE buffer in driver is 254 while maximum size of received buffer
to be copied to RSN IE buffer can be 255. Add boundary check to copy maximum
of 254 bytes into RSN IE buffer.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/mwifiex/tdls.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/mwifiex/tdls.c
+++ b/drivers/net/wireless/mwifiex/tdls.c
@@ -877,7 +877,9 @@ void mwifiex_process_tdls_action_frame(s
 			break;
 		case WLAN_EID_RSN:
 			memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
-			       sizeof(struct ieee_types_header) + pos[1]);
+			       sizeof(struct ieee_types_header) +
+			       min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
+				     sizeof(struct ieee_types_header)));
 			break;
 		case WLAN_EID_QOS_CAPA:
 			sta_ptr->tdls_cap.qos_info = pos[2];