Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp349777pxu; Thu, 7 Jan 2021 06:41:22 -0800 (PST) X-Google-Smtp-Source: ABdhPJzT3xLrWIdh8o2+G+2tFp5mbKrtuDz0PFJKSlQUbq2F3lyW5SCNSOpNNT1zrGNvM5Ixo0VZ X-Received: by 2002:a17:906:4a47:: with SMTP id a7mr6572621ejv.345.1610030482742; Thu, 07 Jan 2021 06:41:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610030482; cv=none; d=google.com; s=arc-20160816; b=fwG8KHEhFpz3Au+cDH6zcMN9n9h58FeRB92JNKC7243pwkMRFQ1VJw9oG/FfjN33xi x9RplqKqrbx8rHwIEtrldpIpg0nepIdc17zt1VkYqcFsunjSwxfTJ0ldWvGFAvkzntRI pgs5W7WAOvEMTJKN8WhEV/ZQHbMf+/dwnUvW1tyVRUcg8EYB1IcbUqYK7ArbqRElLues byTJdMQPNRuGGVbVTDcZntEYi47cAaIqhrBD8gV6JdZbGFvDqY3QzbLWOHiyVlOULdru x3DeYl8RZzolpnYLYnSdbUZ5w7IV1MGNBdBYswk8dlbEpwub6Hc/LknXAtorKfigSEyK mJcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=fgUnxgoUMUjZJFnviFvAHZFI6mxDHy6tZsE8zUFbA0U=; b=HJKy6uMKNkOKS1K4PdXYpOjy5o+S5QYLik6W1UPDFdtDHb6vYz1O6ASTY6ef/xUdHu WK+Lpxqq8xKoE9vF4XTbmcw9YPX3y/AK9Ad1tNGwvAKqG/d69TqYXV6bOpA1mvdC6yUF fglk/lgmSOCH3Hzir5U5ie/bJfPSS9XhnHCYE1zT1DARFLRBeVb4DU+KOD3IqEhA47Mm lgVptmkpzXdBGM2dUx9svtrbo6EHIEonY5DZwtDP1+Z1STVmCXc3pxzAvHlWmpq24ZtW RU3AptAgtQHvT3+Ft8HHut7N4gcNGJWDa8KJ1pyre73DOcbXkiOAQOW7zumqbRmq0Hkc LgOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=2PdhFDzi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m14si2301258ejr.242.2021.01.07.06.40.59; Thu, 07 Jan 2021 06:41:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=2PdhFDzi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729275AbhAGOg5 (ORCPT + 99 others); Thu, 7 Jan 2021 09:36:57 -0500 Received: from mail.kernel.org ([198.145.29.99]:45974 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729237AbhAGOcL (ORCPT ); Thu, 7 Jan 2021 09:32:11 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7874D2311E; Thu, 7 Jan 2021 14:31:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1610029913; bh=ZqsyhDJr975uH78eq9vlqfIjc4P44FyApTZEkqL50qQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2PdhFDzichQVEBmPtRq1BrQhiesi3KLCUejxzSRte00ZQBkNQ8txU208LuM/jW8q1 lg3F5itXTuL4yo+CfEJkt0kFd8h7xDijrvjRG600oKl0V6aZ9eTdgbCN0TlmtseYyn uY+0wMQmivO7L2anBu3MysOZW0j2S3vBPF9SNfEU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zhang Xiaohui , Kalle Valo , Sasha Levin Subject: [PATCH 4.19 8/8] mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start Date: Thu, 7 Jan 2021 15:32:08 +0100 Message-Id: <20210107143048.752377363@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210107143047.586006010@linuxfoundation.org> References: <20210107143047.586006010@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zhang Xiaohui [ Upstream commit 5c455c5ab332773464d02ba17015acdca198f03d ] mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. Fix it by putting the length check before calling memcpy(). Signed-off-by: Zhang Xiaohui Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com Signed-off-by: Sasha Levin --- drivers/net/wireless/marvell/mwifiex/join.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/join.c b/drivers/net/wireless/marvell/mwifiex/join.c index d87aeff70cefb..c2cb1e711c06e 100644 --- a/drivers/net/wireless/marvell/mwifiex/join.c +++ b/drivers/net/wireless/marvell/mwifiex/join.c @@ -877,6 +877,8 @@ mwifiex_cmd_802_11_ad_hoc_start(struct mwifiex_private *priv, memset(adhoc_start->ssid, 0, IEEE80211_MAX_SSID_LEN); + if (req_ssid->ssid_len > IEEE80211_MAX_SSID_LEN) + req_ssid->ssid_len = IEEE80211_MAX_SSID_LEN; memcpy(adhoc_start->ssid, req_ssid->ssid, req_ssid->ssid_len); mwifiex_dbg(adapter, INFO, "info: ADHOC_S_CMD: SSID = %s\n", -- 2.27.0