Received: by 2002:a17:90a:88:0:0:0:0 with SMTP id a8csp4542110pja; Thu, 21 Nov 2019 21:30:50 -0800 (PST) X-Google-Smtp-Source: APXvYqz3GGuuEuH6U9/29zcP/+yxMMuyrUGCubDWXBjUD3z6ymB4HMZEitbAX18pJ4qCJ9+jxwhN X-Received: by 2002:a17:906:6093:: with SMTP id t19mr19468320ejj.50.1574400650229; Thu, 21 Nov 2019 21:30:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574400650; cv=none; d=google.com; s=arc-20160816; b=SIdTlAD7KOQ0PbfFs4XEoADaA3GS0/mOlEOr9cIx3NNIx0L1DI5O3yw9wnjImse6sD HIhW8dWty0NDsifo/4AIZTpcDYRXA19L/tLak9ihsn3WaeouA0kltHR4CwQ0qAcuyjzw bGu+udh7RIIFJ7AHBGabxeW52qXqyyNjm1O86+sgl8UEaRaFvC3LGjKV8+g1e6LdtAHs wuOn3zvAuqRxmTjEPxCZ7AiRGlP4gk8Ei+G8xzoI8FO/WPHaC5yH267dabYvoPedtCaQ Vq6ykj1QW5e4T+7upbzWq4tS7zHguoH52qa8PeET94ZPlQTvlmBcP4aO/4VOLGo6iSTg yRIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=9G4UM2vhuEG4TSdFZTVuZ71GTOHLABBI6xxxI/2Oncw=; b=gLLpCT0Jq7n/zE+Yps5VcWgnPO9GgA+g9gWSIUwJ7cT1Upfr9QDRPCoTgINFkKAWLC iC8l8hkVw0igmIaNXqnVUI2Bs+Gc3KQWtTYjtSY9z/CP2Z+No7NVNqSN3guzhUvhLGza YJwfNr6MUirNjGbrWINdNosGunEzdVx3ocsvtydFrN9BYIfE0JhlwsWogFJdJSwsJnc9 DYOizvUroqnm6lxTLekNas1twIGwllQPjqegksKVqvfwPuc403+sgypp8LuCYSjKY/wJ GI70ke/qezAbl6sBBCo4ey3IRoYmo1NGaoycVCFRnIJ6SWQza4siCZNc1J4AMpQHgzVq jk9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=WaDUta6X; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id op12si2802712ejb.328.2019.11.21.21.30.12; Thu, 21 Nov 2019 21:30:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=WaDUta6X; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726620AbfKVF3f (ORCPT + 99 others); Fri, 22 Nov 2019 00:29:35 -0500 Received: from mail-pf1-f194.google.com ([209.85.210.194]:43041 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726529AbfKVF3e (ORCPT ); Fri, 22 Nov 2019 00:29:34 -0500 Received: by mail-pf1-f194.google.com with SMTP id 3so2912048pfb.10 for ; Thu, 21 Nov 2019 21:29:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=9G4UM2vhuEG4TSdFZTVuZ71GTOHLABBI6xxxI/2Oncw=; b=WaDUta6XODn4hzzqR0np+iPcfBChaSE05EpSM8UrALWvgf7x/9f0e8SMvgXTGXaN74 Irmx+lKSr5piR/mhpfRO+HVN7bu7ukOSsxCxlNav6kvJn3SG/q0TV9VGoWEKM+8yISrK Bc5MtndhyGLDrWQFgc5fSdMf+/79HC0AWnnavMoEKxnAti/HKBQnIPreGoLnrWIpbhXZ EdU3ei0kxlwAUbNl8/FywUG2qzQeoeh5RranVfooFhbBQ0QfNtx3k3ARWrVdT9uV7QtX pcpYtJsjn94TXL0llHTzpE182eTvmUrzxf89ubigJh+EYnryHC+HUHZoVtjYtbjidWoV I0FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=9G4UM2vhuEG4TSdFZTVuZ71GTOHLABBI6xxxI/2Oncw=; b=gNC3IOfmB1H65frnsn63mdzaxphxG6xvR0SHEIOJSaWI/Jx9VK+CfnGr+7pOQZ/Pyw wORhpVi6EbFsE7mVKbjlJ7O96hk14FnUKSPVOhl9NH4xXBktd7sJc5Z36N3J6RRv9Cfc gQWPy1otHKeNz1riMgHcbkaiKj3CANpJ6gaAE/R8EjWLXjS7Bw/vBgQSr5WnAVV27Ppw Flrks3Qv8BGkRUCymKArD05r646Fx1ew/FI7oGyKQhxxWJPuv5RoVTGPbAC1unU+zjfN 2XNdr1yKKfY4R5S8q49FeHsN5Mb+lmriUPdLPL062UzQ7x/pTzfh3rI9Lf92jMJiJ9/n 9zPw== X-Gm-Message-State: APjAAAVgSeSrlZfb2Ch2KXDFaNq6RLCJCvq40zW4toublIDi1zh7feyc srNh0xN+iNrBCzEMbsxDKJS2IOoUYXc= X-Received: by 2002:a63:7456:: with SMTP id e22mr14245471pgn.314.1574400573682; Thu, 21 Nov 2019 21:29:33 -0800 (PST) Received: from localhost ([38.121.20.202]) by smtp.gmail.com with ESMTPSA id x192sm5658165pfd.96.2019.11.21.21.29.32 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 21 Nov 2019 21:29:32 -0800 (PST) From: huangwenabc@gmail.com To: linux-wireless@vger.kernel.org Cc: linux-distros@vs.openwall.org, security@kernel.org, libertas-dev@lists.infradead.org Subject: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor Date: Fri, 22 Nov 2019 13:29:17 +0800 Message-Id: <20191122052917.11309-1-huangwenabc@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Wen Huang add_ie_rates() copys rates without checking the length in bss descriptor from remote AP.when victim connects to remote attacker, this may trigger buffer overflow. lbs_ibss_join_existing() copys rates without checking the length in bss descriptor from remote IBSS node.when victim connects to remote attacker, this may trigger buffer overflow. Fix them by putting the length check before performing copy. This fix addresses CVE-2019-14896 and CVE-2019-14897. Signed-off-by: Wen Huang --- drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c index 57edfada0..290280764 100644 --- a/drivers/net/wireless/marvell/libertas/cfg.c +++ b/drivers/net/wireless/marvell/libertas/cfg.c @@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int *nrates) int hw, ap, ap_max = ie[1]; u8 hw_rate; + if (ap_max > MAX_RATES) { + lbs_deb_assoc("invalid rates\n"); + return tlv; + } /* Advance past IE header */ ie += 2; @@ -1777,6 +1781,10 @@ static int lbs_ibss_join_existing(struct lbs_private *priv, } else { int hw, i; u8 rates_max = rates_eid[1]; + if (rates_max > MAX_RATES) { + lbs_deb_join("invalid rates"); + goto out; + } u8 *rates = cmd.bss.rates; for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { u8 hw_rate = lbs_rates[hw].bitrate / 5; -- 2.17.1