Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp982447pxb; Wed, 3 Mar 2021 23:25:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJxHerrcmmTK/FHbXQynnI0LmYXRicE8eeSOPlFWkg9YeceX73lJqnaLAw182TJF5199x9oc X-Received: by 2002:a05:6402:124a:: with SMTP id l10mr2897185edw.122.1614842749745; Wed, 03 Mar 2021 23:25:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614842749; cv=none; d=google.com; s=arc-20160816; b=qCKXu0rcmYp5Faa8OBgL77NURldkDmhpVssA82c6aD9eZBaYqJ3HG3P+S66e4JOBUW gH8Mtew3TFltG6w24jBScfffE1DetRpJkIzc18kdUVw+YCh1iD9SAlquJJyb2A1gzXtf 8VHc51siNltX+mqV8MTpneDEGykfOod0UrbY/+Qxx+gQ1pZU/H4BBk/6dK1SedhfQN/G rZIZQ/6wETRvrvTK/zTOc0AZF00pFo73BuN07lJPmDFcEqzkgdQ2HkvwNKBksZHgej0a uNLC1GsU8khldsvyJxg1SM+tKtU8IXw36zCQwHYqbJyQj3pltgQHK5I+Y8PVuf5DhFX5 Etcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:cc:to:from:date:dkim-signature; bh=9cmRKCzbFBe71dxo2mYfYCi9TPoq4XL/rApJoJqKCJM=; b=kQ9biRqOUBYjZYShkvgeDctng5lPvAGHfq3+dG4uj2LLAj1hy4miL0mjI+7pYGcpYc s5piRyai2aXUOcWCcYlBEr3xHqNAIuhOq27+f2xQgii6I2KP7gXLiGd3pcd9czR/+yg9 nEr1ac+9PLBytvh9uZp5QqU9oyFmo8GTJ5D1Lm6swldwC94MCCw/mwTM7u1hXber4oP1 54hb2V3jwWH53vkF0OqqWl2ZU7D/Hw8BGxatAA9rXwiNMkxIdDJ0zlJGuzEQW2sHF2ZP SRxyEbYtiSTzEpA8WVJnvVbV0gVD66Wl85YKlsZ8ziKo3m2SmET5DTQ9Cenac2tvKqVv 2U5g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=qWSDjgU4; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id he10si16916200ejc.486.2021.03.03.23.25.25; Wed, 03 Mar 2021 23:25:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=qWSDjgU4; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238432AbhCCA1j (ORCPT + 99 others); Tue, 2 Mar 2021 19:27:39 -0500 Received: from aserp2130.oracle.com ([141.146.126.79]:50220 "EHLO aserp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1446515AbhCBLSB (ORCPT ); Tue, 2 Mar 2021 06:18:01 -0500 Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 122BF6OW177344; Tue, 2 Mar 2021 11:16:56 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type; s=corp-2020-01-29; bh=9cmRKCzbFBe71dxo2mYfYCi9TPoq4XL/rApJoJqKCJM=; b=qWSDjgU41jeYVJgy8uifz3mIlCftwOzLqCGX6cWqzyV9TJH/eq1L3ddo5irMJ0pDccxX AaUeU725aGrr7GB+6eGeNKtIADASg+U5tIW6B8vSrVUc8sgOiqhb5zB+7RT8BjovcJGR GVjc0L/0XSTKq2GwL3ss3lmdCcn/Go4biZJqiWXgDFUpuBWfxFZJXBtB7pUvehOX02fe Mvd3FKzsOrXhdeYVd4H3FFrQm+yGbQ2Qr+2eM/ur1a3SPbdKY0T1E37NjnJEpvysbkeu szjq8bMPICvNrlpcyC7qfw2QaMFODai0Ca/pq8t7wORuZ13QLEB5YDkVJvBQ/PzydHdf Rg== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by aserp2130.oracle.com with ESMTP id 36ybkb7a7n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 02 Mar 2021 11:16:56 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 122BF2Fl076188; Tue, 2 Mar 2021 11:16:55 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserp3020.oracle.com with ESMTP id 36yyyyqtnk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 02 Mar 2021 11:16:54 +0000 Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 122BGral004593; Tue, 2 Mar 2021 11:16:53 GMT Received: from mwanda (/102.36.221.92) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 02 Mar 2021 03:16:52 -0800 Date: Tue, 2 Mar 2021 14:16:44 +0300 From: Dan Carpenter To: Stanislav Yakovlev Cc: Kalle Valo , Jeff Garzik , James Ketrenos , linux-wireless@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Mailer: git-send-email haha only kidding X-Proofpoint-IMR: 1 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9910 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 mlxlogscore=999 phishscore=0 bulkscore=0 mlxscore=0 spamscore=0 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2103020094 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9910 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 impostorscore=0 suspectscore=0 phishscore=0 bulkscore=0 mlxscore=0 lowpriorityscore=0 clxscore=1011 mlxlogscore=999 adultscore=0 malwarescore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2103020094 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org The "ext->key_len" is a u16 that comes from the user. If it's over SCM_KEY_LEN (32) that could lead to memory corruption. Fixes: e0d369d1d969 ("[PATCH] ieee82011: Added WE-18 support to default wireless extension handler") Signed-off-by: Dan Carpenter --- drivers/net/wireless/intel/ipw2x00/libipw_wx.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_wx.c b/drivers/net/wireless/intel/ipw2x00/libipw_wx.c index a0cf78c418ac..27f15fa40528 100644 --- a/drivers/net/wireless/intel/ipw2x00/libipw_wx.c +++ b/drivers/net/wireless/intel/ipw2x00/libipw_wx.c @@ -633,8 +633,10 @@ int libipw_wx_set_encodeext(struct libipw_device *ieee, } if (ext->alg != IW_ENCODE_ALG_NONE) { - memcpy(sec.keys[idx], ext->key, ext->key_len); - sec.key_sizes[idx] = ext->key_len; + int len = min_t(int, ext->key_len, SCM_KEY_LEN); + + memcpy(sec.keys[idx], ext->key, len); + sec.key_sizes[idx] = len; sec.flags |= (1 << idx); if (ext->alg == IW_ENCODE_ALG_WEP) { sec.encode_alg[idx] = SEC_ALG_WEP; -- 2.30.1