The value for "aid" comes from skb->data so Smatch marks it as
untrusted. If it's invalid then it can result in an out of bounds array
access in ath6kl_add_new_sta().
Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates")
Signed-off-by: Dan Carpenter <[email protected]>
---
drivers/net/wireless/ath/ath6kl/main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c
index 5e7ea838a921..814131a0680a 100644
--- a/drivers/net/wireless/ath/ath6kl/main.c
+++ b/drivers/net/wireless/ath/ath6kl/main.c
@@ -430,6 +430,9 @@ void ath6kl_connect_ap_mode_sta(struct ath6kl_vif *vif, u16 aid, u8 *mac_addr,
ath6kl_dbg(ATH6KL_DBG_TRC, "new station %pM aid=%d\n", mac_addr, aid);
+ if (aid < 1 || aid > AP_MAX_NUM_STA)
+ return;
+
if (assoc_req_len > sizeof(struct ieee80211_hdr_3addr)) {
struct ieee80211_mgmt *mgmt =
(struct ieee80211_mgmt *) assoc_info;
--
2.28.0
nitpicking:
the debugtrace will give the impression that the function is
running. perhaps it is more clever to have this after the check.
jm2c,
wh
________________________________________
Von: [email protected] [[email protected]] im Auftrag von Dan Carpenter [[email protected]]
Gesendet: Donnerstag, 13. August 2020 16:13
An: Kalle Valo
Cc: Jakub Kicinski; Jouni Malinen; [email protected]; [email protected]
Betreff: [PATCH] ath6kl: prevent potential array overflow in ath6kl_add_new_sta()
The value for "aid" comes from skb->data so Smatch marks it as
untrusted. If it's invalid then it can result in an out of bounds array
access in ath6kl_add_new_sta().
Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates")
Signed-off-by: Dan Carpenter <[email protected]>
---
drivers/net/wireless/ath/ath6kl/main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c
index 5e7ea838a921..814131a0680a 100644
--- a/drivers/net/wireless/ath/ath6kl/main.c
+++ b/drivers/net/wireless/ath/ath6kl/main.c
@@ -430,6 +430,9 @@ void ath6kl_connect_ap_mode_sta(struct ath6kl_vif *vif, u16 aid, u8 *mac_addr,
ath6kl_dbg(ATH6KL_DBG_TRC, "new station %pM aid=%d\n", mac_addr, aid);
+ if (aid < 1 || aid > AP_MAX_NUM_STA)
+ return;
+
if (assoc_req_len > sizeof(struct ieee80211_hdr_3addr)) {
struct ieee80211_mgmt *mgmt =
(struct ieee80211_mgmt *) assoc_info;
--
2.28.0
Walter Harms <[email protected]> writes:
> the debugtrace will give the impression that the function is
> running. perhaps it is more clever to have this after the check.
But it's possible to deduce from the debug message that aid is out of
limit, so I prefer the way Dan did it.
Please don't top post. Also your mails are not visible in patchwork and
are easily missed, most likely due to using "AW:" in the subject.
https://patchwork.kernel.org/patch/11712551/
--
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
On Fri, Aug 14, 2020 at 08:49:43AM +0000, Walter Harms wrote:
> nitpicking:
>
> the debugtrace will give the impression that the function is
> running. perhaps it is more clever to have this after the check.
>
The debug is more useful they way I did it. Otherwise it doesn't
print anything. This is also the normal way to do this sort of
debugging.
regards,
dan carpenter
Dan Carpenter <[email protected]> wrote:
> The value for "aid" comes from skb->data so Smatch marks it as
> untrusted. If it's invalid then it can result in an out of bounds array
> access in ath6kl_add_new_sta().
>
> Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates")
> Signed-off-by: Dan Carpenter <[email protected]>
> Signed-off-by: Kalle Valo <[email protected]>
Patch applied to ath-next branch of ath.git, thanks.
54f9ab7b8709 ath6kl: prevent potential array overflow in ath6kl_add_new_sta()
--
https://patchwork.kernel.org/patch/11712551/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches