Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1367250ybl;
        Wed, 28 Aug 2019 13:37:52 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzfT0EDtmUbFrHqMcnQBat1NVV1LD+b9LPzbYZEWqGuD0k+lCSXZL0CneYS3fPSZvAEogtY
X-Received: by 2002:a63:6c46:: with SMTP id h67mr5228011pgc.248.1567024672384;
        Wed, 28 Aug 2019 13:37:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1567024672; cv=none;
        d=google.com; s=arc-20160816;
        b=Hg+oDjTOGmVKU7LnLMx3561uNCwa9Xu5HNbpvJJoHTL3H9TW6JfJ0Pnwtl68XE9B2L
         vcNGHlge/9/FRzPHOAdeFj2ZNW66kqZn0JES2Pt70/ir5r5yCNFe0P1xwygzBleEUg8m
         JbdETTRkLaTaLFt7dPUQniMEe1NLRAzPp6rzP1jTP/MQWuR3QUmLsApvPm7psqyq9NYy
         rf2FPF89dHTPNFvrQqhO/JeAdXHQcIUT0apr1w5LpgxBIR5HpErIHbi1Of/2juMeT69G
         owGvmAMboYFovR95zzrUqst6f8GpVxBs9e/zH1LU1I1CNVHul6kldWGlFSmdKkMUjTcq
         QMNg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:from:subject
         :message-id;
        bh=rP+Rw1p3WaqbrxM9mWh0yUfbLbsYCY3vcn6ZIWRMicg=;
        b=rmKXjjIeH4UrlWXKLqsdPX79BbpPPxq7EnJH1A2+FXF+BJDyZwEJGRQFqiH6qThb1s
         R2dQNMqtDARh/aT18baXtlTvHnWUakZk7XyJS8UidtmmDVXbT2kTO4q38RGtoErzkLzq
         vgt2N+Nc33xphDtfaN3/p86EVCXrLfzWiOir6niJzG4skey9Q6G6u1/ElcOgCHSOxUcR
         jUIwtUCU+RaxFRjglDDRoz1s64UEg8t5UgliLaP9yju5al5VifZ3jpt67ifSJWbMGdlA
         Dj8g/1SwLGBDz+gTyBb0pUmOlFf6axPr2PiJR4eOnc5O2PG8bqQQHduTIsNuXG0KomfB
         V8Og==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x7si13631plv.180.2019.08.28.13.37.36;
        Wed, 28 Aug 2019 13:37:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727065AbfH1UhD (ORCPT <rfc822;prestwoj@gmail.com> + 99 others);
        Wed, 28 Aug 2019 16:37:03 -0400
Received: from s3.sipsolutions.net ([144.76.43.62]:42394 "EHLO
        sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726658AbfH1UhC (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Wed, 28 Aug 2019 16:37:02 -0400
Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
        (Exim 4.92.1)
        (envelope-from <johannes@sipsolutions.net>)
        id 1i34ge-0000YN-DV; Wed, 28 Aug 2019 22:37:00 +0200
Message-ID: <adff8812a50ca03f22fd0b3573a19ca42481c009.camel@sipsolutions.net>
Subject: Re: [PATCH] mwifiex: Fix three heap overflow at parsing element in
 cfg80211_ap_settings
From:   Johannes Berg <johannes@sipsolutions.net>
To:     huangwenabc@gmail.com, linux-wireless@vger.kernel.org
Cc:     amitkarwar@gmail.com, nishants@marvell.com, gbhat@marvell.com,
        huxinming820@gmail.com, solar@openwall.com, greg@kroah.com,
        kvalo@codeaurora.org, sashal@kernel.org, mrehak@redhat.com
Date:   Wed, 28 Aug 2019 22:36:58 +0200
In-Reply-To: <20190828020751.13625-1-huangwenabc@gmail.com> (sfid-20190828_040827_580483_8289AFC7)
References: <20190828020751.13625-1-huangwenabc@gmail.com>
         (sfid-20190828_040827_580483_8289AFC7)
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5 (3.30.5-1.fc29) 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

First of all, the subject doesn't make a lot of sense?


Secondly, for a fix the code is fine I guess, but:

>  	rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES,
>  					   params->beacon.tail,
>  					   params->beacon.tail_len);

consider removing struct ieee_types_header from your driver, and using
struct element from <linux/ieee80211.h> instead.

This also comes with cfg80211_find_elem() that returns a suitably typed
pointer, so you don't need any casts.

>  	if (vendor_ie) {
>  		wmm_ie = vendor_ie;
> +		if (*(wmm_ie + 1) > sizeof(struct mwifiex_types_wmm_info))
> +			return;

and using it here would be a whole lot easier to understand too :)

johannes