Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bound noa_num against P2P_MAX_NOA_NUM.
Reported-by: Nicolas Waisman <[email protected]>
Signed-off-by: Laura Abbott <[email protected]>
---
v2: Use P2P_MAX_NOA_NUM instead of erroring out.
---
drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
index 70f04c2f5b17..fff8dda14023 100644
--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
+++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
@@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
return;
} else {
noa_num = (noa_len - 2) / 13;
+ if (noa_num > P2P_MAX_NOA_NUM)
+ noa_num = P2P_MAX_NOA_NUM;
+
}
noa_index = ie[3];
if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
@@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
return;
} else {
noa_num = (noa_len - 2) / 13;
+ if (noa_num > P2P_MAX_NOA_NUM)
+ noa_num = P2P_MAX_NOA_NUM;
+
}
noa_index = ie[3];
if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
--
2.21.0
On Fri, 2019-10-18 at 07:43 -0400, Laura Abbott wrote:
> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
>
> Reported-by: Nicolas Waisman <[email protected]>
> Signed-off-by: Laura Abbott <[email protected]>
Acked-by: Ping-Ke Shih <[email protected]>
and Please CC to stable
Cc: Stable <[email protected]> # 4.4+
---
Hi Kalle,
This bug was existing since v3.10, and directory of wireless drivers were
moved at v4.4. Do I need send another patch to fix this issue for longterm
kernel v3.16.75?
Thanks
PK
> ---
> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
> ---
> drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c
> b/drivers/net/wireless/realtek/rtlwifi/ps.c
> index 70f04c2f5b17..fff8dda14023 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void
> *data,
> return;
> } else {
> noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
> +
> }
> noa_index = ie[3];
> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw,
> void *data,
> return;
> } else {
> noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
> +
> }
> noa_index = ie[3];
> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
On 10/19/19 6:51 AM, Kalle Valo wrote:
> Laura Abbott <[email protected]> writes:
>
>> Nicolas Waisman noticed that even though noa_len is checked for
>> a compatible length it's still possible to overrun the buffers
>> of p2pinfo since there's no check on the upper bound of noa_num.
>> Bound noa_num against P2P_MAX_NOA_NUM.
>>
>> Reported-by: Nicolas Waisman <[email protected]>
>> Signed-off-by: Laura Abbott <[email protected]>
>> ---
>> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
>> ---
>> drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
>> index 70f04c2f5b17..fff8dda14023 100644
>> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
>> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
>> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
>> return;
>> } else {
>> noa_num = (noa_len - 2) / 13;
>> + if (noa_num > P2P_MAX_NOA_NUM)
>> + noa_num = P2P_MAX_NOA_NUM;
>> +
>> }
>> noa_index = ie[3];
>> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
>> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
>> return;
>> } else {
>> noa_num = (noa_len - 2) / 13;
>> + if (noa_num > P2P_MAX_NOA_NUM)
>> + noa_num = P2P_MAX_NOA_NUM;
>
> IMHO using min() would be cleaner, but I'm fine with this as well. Up to
> you.
>
I believe the intention is to re-write this anyway so I'd prefer to
just get this in given the uptick this issue seems to have gotten.
Thanks,
Laura
Laura Abbott <[email protected]> wrote:
> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
>
> Reported-by: Nicolas Waisman <[email protected]>
> Signed-off-by: Laura Abbott <[email protected]>
> Acked-by: Ping-Ke Shih <[email protected]>
Patch applied to wireless-drivers.git, thanks.
8c55dedb795b rtlwifi: Fix potential overflow on P2P code
--
https://patchwork.kernel.org/patch/11198315/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches