Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1367250ybl; Wed, 28 Aug 2019 13:37:52 -0700 (PDT) X-Google-Smtp-Source: APXvYqzfT0EDtmUbFrHqMcnQBat1NVV1LD+b9LPzbYZEWqGuD0k+lCSXZL0CneYS3fPSZvAEogtY X-Received: by 2002:a63:6c46:: with SMTP id h67mr5228011pgc.248.1567024672384; Wed, 28 Aug 2019 13:37:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567024672; cv=none; d=google.com; s=arc-20160816; b=Hg+oDjTOGmVKU7LnLMx3561uNCwa9Xu5HNbpvJJoHTL3H9TW6JfJ0Pnwtl68XE9B2L vcNGHlge/9/FRzPHOAdeFj2ZNW66kqZn0JES2Pt70/ir5r5yCNFe0P1xwygzBleEUg8m JbdETTRkLaTaLFt7dPUQniMEe1NLRAzPp6rzP1jTP/MQWuR3QUmLsApvPm7psqyq9NYy rf2FPF89dHTPNFvrQqhO/JeAdXHQcIUT0apr1w5LpgxBIR5HpErIHbi1Of/2juMeT69G owGvmAMboYFovR95zzrUqst6f8GpVxBs9e/zH1LU1I1CNVHul6kldWGlFSmdKkMUjTcq QMNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=rP+Rw1p3WaqbrxM9mWh0yUfbLbsYCY3vcn6ZIWRMicg=; b=rmKXjjIeH4UrlWXKLqsdPX79BbpPPxq7EnJH1A2+FXF+BJDyZwEJGRQFqiH6qThb1s R2dQNMqtDARh/aT18baXtlTvHnWUakZk7XyJS8UidtmmDVXbT2kTO4q38RGtoErzkLzq vgt2N+Nc33xphDtfaN3/p86EVCXrLfzWiOir6niJzG4skey9Q6G6u1/ElcOgCHSOxUcR jUIwtUCU+RaxFRjglDDRoz1s64UEg8t5UgliLaP9yju5al5VifZ3jpt67ifSJWbMGdlA Dj8g/1SwLGBDz+gTyBb0pUmOlFf6axPr2PiJR4eOnc5O2PG8bqQQHduTIsNuXG0KomfB V8Og== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x7si13631plv.180.2019.08.28.13.37.36; Wed, 28 Aug 2019 13:37:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727065AbfH1UhD (ORCPT + 99 others); Wed, 28 Aug 2019 16:37:03 -0400 Received: from s3.sipsolutions.net ([144.76.43.62]:42394 "EHLO sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726658AbfH1UhC (ORCPT ); Wed, 28 Aug 2019 16:37:02 -0400 Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.92.1) (envelope-from ) id 1i34ge-0000YN-DV; Wed, 28 Aug 2019 22:37:00 +0200 Message-ID: Subject: Re: [PATCH] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings From: Johannes Berg To: huangwenabc@gmail.com, linux-wireless@vger.kernel.org Cc: amitkarwar@gmail.com, nishants@marvell.com, gbhat@marvell.com, huxinming820@gmail.com, solar@openwall.com, greg@kroah.com, kvalo@codeaurora.org, sashal@kernel.org, mrehak@redhat.com Date: Wed, 28 Aug 2019 22:36:58 +0200 In-Reply-To: <20190828020751.13625-1-huangwenabc@gmail.com> (sfid-20190828_040827_580483_8289AFC7) References: <20190828020751.13625-1-huangwenabc@gmail.com> (sfid-20190828_040827_580483_8289AFC7) Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.30.5 (3.30.5-1.fc29) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org First of all, the subject doesn't make a lot of sense? Secondly, for a fix the code is fine I guess, but: > rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, > params->beacon.tail, > params->beacon.tail_len); consider removing struct ieee_types_header from your driver, and using struct element from instead. This also comes with cfg80211_find_elem() that returns a suitably typed pointer, so you don't need any casts. > if (vendor_ie) { > wmm_ie = vendor_ie; > + if (*(wmm_ie + 1) > sizeof(struct mwifiex_types_wmm_info)) > + return; and using it here would be a whole lot easier to understand too :) johannes