Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp348335pxu; Thu, 7 Jan 2021 06:39:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJzw+10H6i+vKeraL8qpfOxMVam7O4yZvkkmrcBmpqP7eZ3K7LFTwBkg+SJ+/+rs4rGZcwxN X-Received: by 2002:a17:906:890:: with SMTP id n16mr6644758eje.463.1610030385138; Thu, 07 Jan 2021 06:39:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610030385; cv=none; d=google.com; s=arc-20160816; b=0o4/h+O2QiK/aHN6f5OMl0k+dYw1LDXFFOrONChorcdKjxzJ7TbujzoOTuInl0yOJ8 U1QEK3WDTXNS1ydK1ukG0vL5K+2HVtZRLzl2SymwBmN6jKk32cM+vzcTlLnKj8ABjhBx CGdmkGnoDnK6ixPiK+AE09nEMci77MiCNw4UWKJy6bYFOCnEnvds2NitN19QKmFScL4g vXdm9zt9JrbG5Awao6UMXmiNSSr+ZPxONs3ixL7K4UUoUN7H+dPJ6HQZg0x9kLDRXLsP wspUIi5Z/4SOMtemZBq+HbzfQSkRWavSqWDzO664nezZjuzHEWeWYU4Z4zrkpTwFia5Q h6jQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=fgUnxgoUMUjZJFnviFvAHZFI6mxDHy6tZsE8zUFbA0U=; b=Vjp7Hjy65dKkhfHKZa6pBsy+DHqsNu1M0nTilOavt4ODcBMfKMSFKfqHGhv4huvSyM 1hV8Pz1k6oRN6Ygo4rlSeqk5bIk5lg1qg80WMOmXBx+LoL46TkR7YajuC6od+asATRr/ Fyo4ZOAKx868AwuA3THOMZpuc97VRPuDzXhKknbVZl+ymc2Vat5ZM6519I6O9oo7Fvjg 0cvE4f7GhrO+2etmZTWnfngaYUxUrGhD+gJ8ju2ajScOMYjHNtW0qoYtH/U4NmZsqSrm u6tcKyvLACTFmd3JFg4uWH6J1ovpso7gZAPd+xF/cwnwfc/wY37asuXYpP3mCgDNQSuG vRCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="CDAM/SRR"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p12si2214563eji.735.2021.01.07.06.39.20; Thu, 07 Jan 2021 06:39:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="CDAM/SRR"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729159AbhAGOhV (ORCPT + 99 others); Thu, 7 Jan 2021 09:37:21 -0500 Received: from mail.kernel.org ([198.145.29.99]:45878 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729172AbhAGOcF (ORCPT ); Thu, 7 Jan 2021 09:32:05 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id F26A2233EB; Thu, 7 Jan 2021 14:31:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1610029895; bh=ZqsyhDJr975uH78eq9vlqfIjc4P44FyApTZEkqL50qQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CDAM/SRRvpayRKsaE2xz8DYVX4P4sOe7UIoNfaULqO5H4rG1/xlP2QRN1urCCt2E6 S3GNY9SDlYbzyN4Qhgvw8Z4w4nstn7asceYikFWpKbyAAXyFzVyF2mQkl/0cSMQhK6 AmLEfyeerjR1/ASC8O+5FrjAcwenmWDGO37pEWbU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zhang Xiaohui , Kalle Valo , Sasha Levin Subject: [PATCH 4.14 29/29] mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start Date: Thu, 7 Jan 2021 15:31:44 +0100 Message-Id: <20210107143057.119431084@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210107143052.973437064@linuxfoundation.org> References: <20210107143052.973437064@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zhang Xiaohui [ Upstream commit 5c455c5ab332773464d02ba17015acdca198f03d ] mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. Fix it by putting the length check before calling memcpy(). Signed-off-by: Zhang Xiaohui Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com Signed-off-by: Sasha Levin --- drivers/net/wireless/marvell/mwifiex/join.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/join.c b/drivers/net/wireless/marvell/mwifiex/join.c index d87aeff70cefb..c2cb1e711c06e 100644 --- a/drivers/net/wireless/marvell/mwifiex/join.c +++ b/drivers/net/wireless/marvell/mwifiex/join.c @@ -877,6 +877,8 @@ mwifiex_cmd_802_11_ad_hoc_start(struct mwifiex_private *priv, memset(adhoc_start->ssid, 0, IEEE80211_MAX_SSID_LEN); + if (req_ssid->ssid_len > IEEE80211_MAX_SSID_LEN) + req_ssid->ssid_len = IEEE80211_MAX_SSID_LEN; memcpy(adhoc_start->ssid, req_ssid->ssid, req_ssid->ssid_len); mwifiex_dbg(adapter, INFO, "info: ADHOC_S_CMD: SSID = %s\n", -- 2.27.0