Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp44941ybc; Fri, 22 Nov 2019 01:46:18 -0800 (PST) X-Google-Smtp-Source: APXvYqym/l/rRGgnhAQDv+u2rOWQ3FwutbDcsMr3Cfx4uHRmyOK37OIQRH+ljVtoAGdCmLbbLmhZ X-Received: by 2002:a17:906:2e52:: with SMTP id r18mr21509495eji.178.1574415977897; Fri, 22 Nov 2019 01:46:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574415977; cv=none; d=google.com; s=arc-20160816; b=wT3+M1l6flbDL0J2fSAd3Nn0iSS5C23Wz8sHQ1JLGhGUB51+0wB1ObpRy6fAbgszct kA1td/+MxJoCqWPy6T4fSLQXQoiH9ZVf2to0MkxlowF7AuVI0HBpoCXERIp0G+qTL9t8 K5nmMiwbhGLCSiPTybhidKmUi/I+lDosSiKbwKA86p0VQMM/2enQdWgKjErKqBiHFaJo gLpTxBVOm/qIv2vvqhymPx7j2BcPAccJ8TeP3aDvQ6VFu2ftqgu+aMwNsp/Wk4w3o20f eWxjSuO2kM13WWmOcwNLKFv3XOIU0QxI0UPJT2Wgekkj9iPsxwEisQA0yWUKr9JP5RPO /xKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:cc:date:message-id:subject :mime-version:content-transfer-encoding:from:dkim-signature; bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=; b=xh5PTJ8s/Dnr914CGCaKktxHYcCqiiGPGiKwy24zmK8MjupN3jldhwSCUV/rjCfOo7 0tX3dYYmoOwNrsbDH3OOnbWKL0/MUwY09gjW5B8vQP7GQ0qp9h5okqoq1GI6SNMYG14Y EXThm+3OZdWy7U4oH7IGiv35TDkgQQrLdGY5t01Rb5TylMMEyFbXaD7vuuvXOnUxf7vH X7pnXxjj/kXDOMqI3G1Eq5YR6Ng4jrYgR45zgmnxyqWZa3PKfXONPDs1W6fT7ir6R9H8 EBPbdxUqn7yQTgSN0prpTY4iI/xualLgTzUni2EFCCLG+UCYDRDyKDDMq7SXpGJa6KcD izaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=gFC1GPvm; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id oj22si4003361ejb.230.2019.11.22.01.45.39; Fri, 22 Nov 2019 01:46:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=gFC1GPvm; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726792AbfKVJoA (ORCPT + 99 others); Fri, 22 Nov 2019 04:44:00 -0500 Received: from mail-pj1-f65.google.com ([209.85.216.65]:35154 "EHLO mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726500AbfKVJoA (ORCPT ); Fri, 22 Nov 2019 04:44:00 -0500 Received: by mail-pj1-f65.google.com with SMTP id s8so2836990pji.2 for ; Fri, 22 Nov 2019 01:43:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:subject:message-id:date :cc:to; bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=; b=gFC1GPvmciglvQH3QRWVdrtGLMliah1xCIA8nZta7Mis7sATxTwTG/XMZ/G4Zb8efA bvc58q+E3uHBiZOOCVFqZrDhJzM1SJVkOtFKPIquJLhmKms1Rd7FLwLFKwbq9DKE28C4 crZUPOja7RMESC2jajleQdZ9YO/o/LEA+6QmEKIQFZ11R7j/qT/bNTdf08hDTINa7VVq r20OL/q5iTBYBqodQaQVOPHH7f8iRs46gS/23GSX8E8Lo920r4wtTUPXXBidt0bay7ID L2CF8vLLDGRe4Dohd71wCJgl54yVxF1Fi9qAvQluyVTulAtDVNw8Ol9hFdLa9R7j2M2z 9wWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:cc:to; bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=; b=lGAdjvr9L1WcGIvtpY5RO07jVV2t+CQ7rGsSqHcqyoDarWzcfl+FowtU0U+OV0Uf0k Dxs4mJ+rml43X7SrPljpiHzQB1mRWWnTcIKwO9YFH1DbuMxYpTV/AdDtkyLGwQEPCTu2 U/RIv2CvLNWTGQYXAqUH4wZJ0MAo0w2fWX8QeMCWarAPRgOsyeT9LEZQT6ypWzy9bAKs ri4P+HqxmhlvDFb3ij0pl0x7hhOOhDCSdzZEfy8MGL/wmxdbOLM5AV8DevGNLEZHZrJ9 AHHgRlkUPn5esIeIhTiYu3hox+z4GLrcRZccqcL3O9QM9rKX6SyNF9MjoEIgD5WK7ycl Tlvg== X-Gm-Message-State: APjAAAVLU8HZian8Pqy8r1Iwnjga8cqc70tKNQWQHXIQ/WEWDgKWDzip dkM+yuOUv3M4BD3u8wHsttGE4Sk9BqOSqA== X-Received: by 2002:a17:90a:c004:: with SMTP id p4mr17937350pjt.104.1574415837353; Fri, 22 Nov 2019 01:43:57 -0800 (PST) Received: from [127.0.0.1] (187.220.92.34.bc.googleusercontent.com. [34.92.220.187]) by smtp.gmail.com with ESMTPSA id 71sm6800121pfx.107.2019.11.22.01.43.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Nov 2019 01:43:56 -0800 (PST) From: qize wang Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\)) Subject: [PATCH] mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() Message-Id: Date: Fri, 22 Nov 2019 17:43:49 +0800 Cc: amitkarwar , nishants , gbhat , huxinming820 , kvalo , Greg KH , security , linux-distros , "dan.carpenter" , Solar Designer To: linux-wireless@vger.kernel.org X-Mailer: Apple Mail (2.3445.6.18) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org mwifiex_process_tdls_action_frame() without checking the incoming tdls infomation element's vality before use it, this may cause multi heap buffer overflows. Fix them by putting vality check before use it. Signed-off-by: qize wang --- drivers/net/wireless/marvell/mwifiex/tdls.c | 70 = ++++++++++++++++++++++++++--- 1 file changed, 64 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c = b/drivers/net/wireless/marvell/mwifiex/tdls.c index 09313047beed..7caf1d26124a 100644 --- a/drivers/net/wireless/marvell/mwifiex/tdls.c +++ b/drivers/net/wireless/marvell/mwifiex/tdls.c @@ -953,59 +953,117 @@ void mwifiex_process_tdls_action_frame(struct = mwifiex_private *priv, switch (*pos) { case WLAN_EID_SUPP_RATES: + if (pos[1] > 32) + return; sta_ptr->tdls_cap.rates_len =3D pos[1]; for (i =3D 0; i < pos[1]; i++) sta_ptr->tdls_cap.rates[i] =3D pos[i + = 2]; break; case WLAN_EID_EXT_SUPP_RATES: + if (pos[1] > 32) + return; basic =3D sta_ptr->tdls_cap.rates_len; + if (pos[1] > 32 - basic) + return; for (i =3D 0; i < pos[1]; i++) sta_ptr->tdls_cap.rates[basic + i] =3D = pos[i + 2]; sta_ptr->tdls_cap.rates_len +=3D pos[1]; break; case WLAN_EID_HT_CAPABILITY: - memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos, + if (pos > end - sizeof(struct ieee80211_ht_cap) = - 2) + return; + if (pos[1] !=3D sizeof(struct ieee80211_ht_cap)) + return; + /* copy the ie's value into ht_capb*/ + memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + = 2, sizeof(struct ieee80211_ht_cap)); sta_ptr->is_11n_enabled =3D 1; break; case WLAN_EID_HT_OPERATION: - memcpy(&sta_ptr->tdls_cap.ht_oper, pos, + if (pos > end - + sizeof(struct ieee80211_ht_operation) - 2) + return; + if (pos[1] !=3D sizeof(struct = ieee80211_ht_operation)) + return; + /* copy the ie's value into ht_oper*/ + memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2, sizeof(struct ieee80211_ht_operation)); break; case WLAN_EID_BSS_COEX_2040: + if (pos > end - 3) + return; + if (pos[1] !=3D 1) + return; sta_ptr->tdls_cap.coex_2040 =3D pos[2]; break; case WLAN_EID_EXT_CAPABILITY: + if (pos > end - sizeof(struct = ieee_types_header)) + return; + if (pos[1] < sizeof(struct ieee_types_header)) + return; + if (pos[1] > 8) + return; memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos, sizeof(struct ieee_types_header) + min_t(u8, pos[1], 8)); break; case WLAN_EID_RSN: + if (pos > end - sizeof(struct = ieee_types_header)) + return; + if (pos[1] < sizeof(struct ieee_types_header)) + return; + if (pos[1] > IEEE_MAX_IE_SIZE - + sizeof(struct ieee_types_header)) + return; memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos, sizeof(struct ieee_types_header) + min_t(u8, pos[1], IEEE_MAX_IE_SIZE - sizeof(struct ieee_types_header))); break; case WLAN_EID_QOS_CAPA: + if (pos > end - 3) + return; + if (pos[1] !=3D 1) + return; sta_ptr->tdls_cap.qos_info =3D pos[2]; break; case WLAN_EID_VHT_OPERATION: - if (priv->adapter->is_hw_11ac_capable) - memcpy(&sta_ptr->tdls_cap.vhtoper, pos, + if (priv->adapter->is_hw_11ac_capable) { + if (pos > end - + sizeof(struct = ieee80211_vht_operation) - 2) + return; + if (pos[1] !=3D + sizeof(struct = ieee80211_vht_operation)) + return; + /* copy the ie's value into vhtoper*/ + memcpy(&sta_ptr->tdls_cap.vhtoper, pos + = 2, sizeof(struct = ieee80211_vht_operation)); + } break; case WLAN_EID_VHT_CAPABILITY: if (priv->adapter->is_hw_11ac_capable) { - memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, = pos, + if (pos > end - + sizeof(struct ieee80211_vht_cap) - = 2) + return; + if (pos[1] !=3D sizeof(struct = ieee80211_vht_cap)) + return; + /* copy the ie's value into vhtcap*/ + memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, = pos + 2, sizeof(struct = ieee80211_vht_cap)); sta_ptr->is_11ac_enabled =3D 1; } break; case WLAN_EID_AID: - if (priv->adapter->is_hw_11ac_capable) + if (priv->adapter->is_hw_11ac_capable) { + if (pos > end - 4) + return; + if (pos[1] !=3D 2) + return; sta_ptr->tdls_cap.aid =3D get_unaligned_le16((pos + 2)); + } + break; default: break; } --=20 2.14.3 (Apple Git-98)