User-space can choose to omit NL80211_ATTR_SSID and only provide raw
IE TLV data. When doing so it can provide SSID IE with length exceeding
the allowed size. The driver further processes this IE copying it
into a local variable without checking the length. Hence stack can be
corrupted and used as exploit.
Cc: [email protected] # v4.7
Reported-by: Daxing Guo <[email protected]>
Reviewed-by: Hante Meuleman <[email protected]>
Reviewed-by: Pieter-Paul Giesberts <[email protected]>
Reviewed-by: Franky Lin <[email protected]>
Signed-off-by: Arend van Spriel <[email protected]>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 5db56a7..b8aec5e5 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -4527,7 +4527,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
(u8 *)&settings->beacon.head[ie_offset],
settings->beacon.head_len - ie_offset,
WLAN_EID_SSID);
- if (!ssid_ie)
+ if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
return -EINVAL;
memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);
--
1.9.1
On 5-9-2016 11:45, Arend van Spriel wrote:
> User-space can choose to omit NL80211_ATTR_SSID and only provide raw
> IE TLV data. When doing so it can provide SSID IE with length exceeding
> the allowed size. The driver further processes this IE copying it
> into a local variable without checking the length. Hence stack can be
> corrupted and used as exploit.
This patch is intended for wireless-drivers repository, ie. for v4.8.
Regards,
Arend
> Cc: [email protected] # v4.7
> Reported-by: Daxing Guo <[email protected]>
> Reviewed-by: Hante Meuleman <[email protected]>
> Reviewed-by: Pieter-Paul Giesberts <[email protected]>
> Reviewed-by: Franky Lin <[email protected]>
> Signed-off-by: Arend van Spriel <[email protected]>
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> index 5db56a7..b8aec5e5 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> @@ -4527,7 +4527,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
> (u8 *)&settings->beacon.head[ie_offset],
> settings->beacon.head_len - ie_offset,
> WLAN_EID_SSID);
> - if (!ssid_ie)
> + if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
> return -EINVAL;
>
> memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);
>
Arend Van Spriel <[email protected]> wrote:
> User-space can choose to omit NL80211_ATTR_SSID and only provide raw
> IE TLV data. When doing so it can provide SSID IE with length exceeding
> the allowed size. The driver further processes this IE copying it
> into a local variable without checking the length. Hence stack can be
> corrupted and used as exploit.
>
> Cc: [email protected] # v4.7
> Reported-by: Daxing Guo <[email protected]>
> Reviewed-by: Hante Meuleman <[email protected]>
> Reviewed-by: Pieter-Paul Giesberts <[email protected]>
> Reviewed-by: Franky Lin <[email protected]>
> Signed-off-by: Arend van Spriel <[email protected]>
Thanks, 1 patch applied to wireless-drivers.git:
ded89912156b brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
--
Sent by pwcli
https://patchwork.kernel.org/patch/9313305/