2023-08-30 18:33:36

by Jeff Johnson

[permalink] [raw]
Subject: [PATCH v2 0/2] wifi: Fix struct ieee80211_tim_ie::virtual_map

To align with [1] change struct ieee80211_tim_ie::virtual_map to be a
flexible array and fix all size references to account for the change
in struct size.

As a precursor, add a size check in a place where one is currently
missing.

[1] https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element-arrays

Signed-off-by: Jeff Johnson <[email protected]>
---
Changes in v2:
- Cover Letter
- removed internal note
- [PATCH 2/2] mac80211: Use flexible array in struct ieee80211_tim_ie
- Fixed typo: s/no/now/
- Link to v1: https://lore.kernel.org/r/[email protected]

---
Jeff Johnson (2):
wifi: cw1200: Avoid processing an invalid TIM IE
mac80211: Use flexible array in struct ieee80211_tim_ie

drivers/net/wireless/ath/ath9k/recv.c | 2 +-
drivers/net/wireless/ath/carl9170/rx.c | 2 +-
drivers/net/wireless/ralink/rt2x00/rt2x00dev.c | 2 +-
drivers/net/wireless/realtek/rtlwifi/ps.c | 2 +-
drivers/net/wireless/st/cw1200/txrx.c | 2 +-
include/linux/ieee80211.h | 4 ++--
net/mac80211/util.c | 2 +-
7 files changed, 8 insertions(+), 8 deletions(-)
---
base-commit: 4dddbad8907bc2ecda6e3714de3ea0a27b90a7d3
change-id: 20230825-ieee80211_tim_ie-0391430af36d



2023-08-30 18:37:16

by Jeff Johnson

[permalink] [raw]
Subject: [PATCH v2 1/2] wifi: cw1200: Avoid processing an invalid TIM IE

While converting struct ieee80211_tim_ie::virtual_map to be a flexible
array it was observed that the TIM IE processing in cw1200_rx_cb()
could potentially process a malformed IE in a manner that could result
in a buffer over-read. Add logic to verify that the TIM IE length is
large enough to hold a valid TIM payload before processing it.

Signed-off-by: Jeff Johnson <[email protected]>
---
drivers/net/wireless/st/cw1200/txrx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/st/cw1200/txrx.c b/drivers/net/wireless/st/cw1200/txrx.c
index 6894b919ff94..e16e9ae90d20 100644
--- a/drivers/net/wireless/st/cw1200/txrx.c
+++ b/drivers/net/wireless/st/cw1200/txrx.c
@@ -1166,7 +1166,7 @@ void cw1200_rx_cb(struct cw1200_common *priv,
size_t ies_len = skb->len - (ies - (u8 *)(skb->data));

tim_ie = cfg80211_find_ie(WLAN_EID_TIM, ies, ies_len);
- if (tim_ie) {
+ if (tim_ie && tim_ie[1] >= sizeof(struct ieee80211_tim_ie)) {
struct ieee80211_tim_ie *tim =
(struct ieee80211_tim_ie *)&tim_ie[2];


--
2.25.1