Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp3401484ybc; Thu, 21 Nov 2019 07:49:34 -0800 (PST) X-Google-Smtp-Source: APXvYqwS12vOcpsQl8Nub5awU633dAofAMv/8psok+quyQF+VFTpTsYC8OptoNu5dHOksDugx4iH X-Received: by 2002:a7b:c207:: with SMTP id x7mr919952wmi.0.1574351373770; Thu, 21 Nov 2019 07:49:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574351373; cv=none; d=google.com; s=arc-20160816; b=1J7qGKfUXtGLTABeIqMwDUs3gnOvaVBgIKCbhMooLqntEJmU/zBDFBZyp1nsMvQhjy /ynv9pC23TdXkotdti8IRoOGl8rzHAvGUTLkOLP+n1N3ul+kDy0fGYetX/GoxARe0hMl ml+D9hVQBohtFfHBt6/+rJTdw7n3y9PunLsylsDnnDr61Ox8Z4LP4yIbvO8CPc76PGFR 1jAc0PZJ/tE+n0er0X59aCgw2SxXdSDKHwMBaw5t7qvr/nVxVSUIvjFsH8DFP0qEV6wl A0WAKyY/nHdY4MpgEfEqbYnSRGN45wDmB+p21KOijn9vwUXgEdAVqiCeshi/86X3rbVf 2nvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from:dkim-signature; bh=o/oIGGHPmwt5MFTKPl2GcISKabBWhPBOdPXPhlV+8H8=; b=DvY2rRL9sdhH9+yNWb8MCgWYWXdaOKjTnM9ukx5u5K5y7y1F2sBOt1BZPYcOKr9q4n GnH/IW6GZ7XkH4VtXzR6AUs6VPQF/YMEFk5trtdEA2eFDDvW5H8M8g5AAdFcA3bxzp0R tfNgZuk9T7w3iJ/2IhE/gJSuv2KZ8dS4kmsSbAr3OU2rxajcvw45EUQ4bTYrOVH+pVWp 6vk2UGXd943TsekRNMaBu3QkX40ozEtTKqnqk/3eZLfmtabiQG6B/lYQD+SsxbebCI58 iVGUiry7NPics2C6JZbG78VeSSEtkNdSwctg71OWnQKG5y/btV0McJGOAPicY46tQy4T ciMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@marvell.com header.s=pfpt0818 header.b="Hl/P40rf"; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=marvell.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z7si3237310edb.401.2019.11.21.07.48.54; Thu, 21 Nov 2019 07:49:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@marvell.com header.s=pfpt0818 header.b="Hl/P40rf"; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=marvell.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726379AbfKUPss (ORCPT + 99 others); Thu, 21 Nov 2019 10:48:48 -0500 Received: from mx0a-0016f401.pphosted.com ([67.231.148.174]:43076 "EHLO mx0b-0016f401.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726279AbfKUPsr (ORCPT ); Thu, 21 Nov 2019 10:48:47 -0500 Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xALFaKXH007714; Thu, 21 Nov 2019 07:48:43 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : mime-version : content-type; s=pfpt0818; bh=o/oIGGHPmwt5MFTKPl2GcISKabBWhPBOdPXPhlV+8H8=; b=Hl/P40rfoZn9RY7pB+WBUA7Q6Dx0P3/ihbAvgGys0xszdawmnmK2yxI9iQLOyjUSrTBd OMhoiIYhV6wl4EXe3bLvuCT18N8Jzuk+F5OOOkCf08799NFQ8Zn8TCuGVKKNsI3HCruH l6wK7pSkUlbiWvZMuwe0F8XzAG9El0B/LeNkRGWg/ATTa0yyjpQC38ctLK3L1z0K0S/6 xkPqqMVs9aBa10CFfF90ftdO1iBffnuWhwS2YE3ECPnajpDDaDiZbrse8N0Btxm4rcbd loTpoaCfjA/zbdUeh446u73H7/mNUHkCGUJGSY/rcY3BmzqlQJl7FoCHLVG3t6oN7Bxy gQ== Received: from sc-exch01.marvell.com ([199.233.58.181]) by mx0a-0016f401.pphosted.com with ESMTP id 2wc842e6jx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 21 Nov 2019 07:48:43 -0800 Received: from SC-EXCH03.marvell.com (10.93.176.83) by SC-EXCH01.marvell.com (10.93.176.81) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 21 Nov 2019 07:48:41 -0800 Received: from maili.marvell.com (10.93.176.43) by SC-EXCH03.marvell.com (10.93.176.83) with Microsoft SMTP Server id 15.0.1367.3 via Frontend Transport; Thu, 21 Nov 2019 07:48:41 -0800 Received: from testmailhost.marvell.com (testmailhost.marvell.com [10.31.130.105]) by maili.marvell.com (Postfix) with ESMTP id 3F2F33F7041; Thu, 21 Nov 2019 07:48:39 -0800 (PST) From: Ganapathi Bhat To: CC: Cathy Luo , Zhiyuan Yang , James Cao , Rakesh Parmar , Brian Norris , Mohammad Tausif Siddiqui , huangwen , Ganapathi Bhat Subject: [PATCH] mwifiex: fix possible heap overflow in mwifiex_process_country_ie() Date: Thu, 21 Nov 2019 21:18:36 +0530 Message-ID: <1574351316-7533-1-git-send-email-gbhat@marvell.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 Content-Type: text/plain X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-21_03:2019-11-21,2019-11-21 signatures=0 Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org mwifiex_process_country_ie() function parse elements of bss descriptor in beacon packet. When processing WLAN_EID_COUNTRY element, there is no upper limit check for country_ie_len before calling memcpy. The destination buffer domain_info->triplet is an array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote attacker can build a fake AP with the same ssid as real AP, and send malicous beacon packet with long WLAN_EID_COUNTRY elemen (country_ie_len > 83). Attacker can force STA connect to fake AP on a different channel. When the victim STA connects to fake AP, will trigger the heap buffer overflow. Fix this by checking for length and if found invalid, don not connect to the AP. This fix addresses CVE-2019-14895. Reported-by: huangwen Signed-off-by: Ganapathi Bhat --- drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c index 74e5056..6dd835f 100644 --- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c +++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c @@ -229,6 +229,14 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv, "11D: skip setting domain info in FW\n"); return 0; } + + if (country_ie_len > + (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) { + mwifiex_dbg(priv->adapter, ERROR, + "11D: country_ie_len overflow!, deauth AP\n"); + return -EINVAL; + } + memcpy(priv->adapter->country_code, &country_ie[2], 2); domain_info->country_code[0] = country_ie[2]; @@ -272,8 +280,9 @@ int mwifiex_bss_start(struct mwifiex_private *priv, struct cfg80211_bss *bss, priv->scan_block = false; if (bss) { - if (adapter->region_code == 0x00) - mwifiex_process_country_ie(priv, bss); + if (adapter->region_code == 0x00 && + mwifiex_process_country_ie(priv, bss)) + return -EINVAL; /* Allocate and fill new bss descriptor */ bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor), -- 1.9.1