Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp208792pxb;
        Sat, 10 Apr 2021 00:00:50 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzHjOJpkLagVzW/gfOZ/KSsyf7uUxFGlU88U5Qo7wH/u/yUi9HJLDVPmuz7Ey9tCQxlDv20
X-Received: by 2002:a17:902:bb83:b029:e5:dacc:9035 with SMTP id m3-20020a170902bb83b02900e5dacc9035mr16095495pls.80.1618038049897;
        Sat, 10 Apr 2021 00:00:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1618038049; cv=none;
        d=google.com; s=arc-20160816;
        b=AAqZmyVCq6LsEjznLNMDbU3quQse3QJrj2fIznyWErALncBhUbRZWAFyBZexE6deex
         2iDEqUEHt+LzvWbd3+i3X4PWBX8mAJhOyaygUlD4ePG+lgnCS4PrsASV2BdfLdGfbVoP
         kGyN9R+B2/geEkme429L/YqVOgIgCV6MGf841NKEHyfnfmPWAut2RMPop44VqTOrSYs3
         hlpLRq+4z75qFNuiWzpexA8yEVuUkGSbOEKX0vwscoMnpgd8+wko3muQVp7C+PdggAlN
         zd9QtwX0bGfEse8MHXayNMyBKdOkETAFmwy/ann8ayGDs+CWH3M2HB+VIULfP0/lw7+L
         RSzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=y+qU2K2MTxemBysOAaAel00sT0k/PXV6IjQavtJSZP4=;
        b=Pew5g6HIlmE5vvCGkcISi0W414qc1zFd5Olqhh3E55X+CHwEN5eX+hhrl33Ku3iCw9
         eSl1R67yHHXlBs6T1ARdVhQqzVd8yMzO7KYXVpGb8YzesREoDAe7OOtwl4ROcnsQOPga
         cRENcKvx6SK35PYuMgF/VJsNHUMfOYe9pDGRQmSQZYwl4swnb1BH5M+hgqJ7HqQO8aEI
         eXGzQW7yODYQwKxy7gF7LFUIm7kZVT0MFp634v6WQSzlXUkLwHReVxLmNEZa6Kod5i6M
         JqoVEqQoSbqEn9OO/H1u5OjdplT43fPIkvQpY7ds9qKKxR9JiBJAAJ8atWTHzJoFphHv
         1yAw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XilqbwzT;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id t12si3816964pgi.224.2021.04.10.00.00.27;
        Sat, 10 Apr 2021 00:00:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XilqbwzT;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233606AbhDJHA2 (ORCPT <rfc822;benjamin.aschenbrenner@gmail.com>
        + 99 others); Sat, 10 Apr 2021 03:00:28 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45100 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229537AbhDJHAZ (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Sat, 10 Apr 2021 03:00:25 -0400
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E4F0C061762;
        Sat, 10 Apr 2021 00:00:11 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id v26so8182968iox.11;
        Sat, 10 Apr 2021 00:00:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=y+qU2K2MTxemBysOAaAel00sT0k/PXV6IjQavtJSZP4=;
        b=XilqbwzTDmRoEmZ6zQy+MRJEIeYKyOHHAC16Zl3Us6SEoaR1anZ4fT5hvmEMIjIF+Z
         7LIT3HjQJH9SEKIBcYLK8qE26xt9DS9noGPt71wHnKgJ2IGqfvXIUv62ajy92+6SWLRH
         xaHkniLAV9eEnwhRwW8h9mFBzGA359itdV/k0EmtrxzOEJJHz+UR3X6uTgV9B4hLyPVG
         IeUSdS/D1plsFRtEZYytDk7bogOy4geia81tn3VpT/pp9X5buJB9yPoujgs9YcSXsy+O
         EUwPdbGdteAaXj4FW2PfHASjtFO25YqSIYNh6YiHE/BsM9C/LPbxg2dxpKI4QctbKYbB
         abWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=y+qU2K2MTxemBysOAaAel00sT0k/PXV6IjQavtJSZP4=;
        b=qfRB7CckvF+SY2/Q5sLsf7seQXZZcSY5JH5n2QbRjM7i6Ixek22mJ9xZG7vrj5h4Yy
         49CZOq9vmxP9dojJcLW67OiL4fFYsprCitaQntprQBs12CGr4wS+WzbtHzfpRHn7QOJE
         lbs/TCvspcrHkkozt1CJAa5WCOXxFis83AziMUlU+h0pjOVbfRLk/KqPXFplxXmYSofU
         WP1TdkQLoBLQaaFf4d0fKHh4g2C6E5yHS/kH8e5E7f6aR+l4AClVvLgSztg1fDcuxk7D
         V/KG3M58YV+8Z1I7SLQzIv6K79mp+S/TIHRQ3jbU8qvprBJC/U0xl9jVkc2NL3V6bqeu
         ZKsg==
X-Gm-Message-State: AOAM531VD6ZBliPTCUzcbi715Qd7Pxm88qY7UIN24Rjg6N5bYZbUUHEV
        6Dim7wdvAeGuL3OVVfSf5xToE6icl4gPGpIEvSI=
X-Received: by 2002:a02:7410:: with SMTP id o16mr18527890jac.37.1618038011076;
 Sat, 10 Apr 2021 00:00:11 -0700 (PDT)
MIME-Version: 1.0
References: <YD4enB/Er/5PWgUz@mwanda>
In-Reply-To: <YD4enB/Er/5PWgUz@mwanda>
From:   Stanislav Yakovlev <stas.yakovlev@gmail.com>
Date:   Sat, 10 Apr 2021 10:59:49 +0400
Message-ID: <CA++WF2PBo1Mok+bnnUCEZxbbEacX7FcU7PYAPTo=iqgOb2+f3Q@mail.gmail.com>
Subject: Re: [PATCH] ipw2x00: potential buffer overflow in libipw_wx_set_encodeext()
To:     Dan Carpenter <dan.carpenter@oracle.com>
Cc:     Kalle Valo <kvalo@codeaurora.org>, Jeff Garzik <jgarzik@pobox.com>,
        James Ketrenos <jketreno@linux.intel.com>,
        wireless <linux-wireless@vger.kernel.org>,
        kernel-janitors@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

On Tue, 2 Mar 2021 at 15:16, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> The "ext->key_len" is a u16 that comes from the user.  If it's over
> SCM_KEY_LEN (32) that could lead to memory corruption.
>
> Fixes: e0d369d1d969 ("[PATCH] ieee82011: Added WE-18 support to default wireless extension handler")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/net/wireless/intel/ipw2x00/libipw_wx.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>

Cc: stable@vger.kernel.org
Acked-by: Stanislav Yakovlev <stas.yakovlev@gmail.com>

Thanks, and sorry for the long review.

Stanislav.


> diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_wx.c b/drivers/net/wireless/intel/ipw2x00/libipw_wx.c
> index a0cf78c418ac..27f15fa40528 100644
> --- a/drivers/net/wireless/intel/ipw2x00/libipw_wx.c
> +++ b/drivers/net/wireless/intel/ipw2x00/libipw_wx.c
> @@ -633,8 +633,10 @@ int libipw_wx_set_encodeext(struct libipw_device *ieee,
>         }
>
>         if (ext->alg != IW_ENCODE_ALG_NONE) {
> -               memcpy(sec.keys[idx], ext->key, ext->key_len);
> -               sec.key_sizes[idx] = ext->key_len;
> +               int len = min_t(int, ext->key_len, SCM_KEY_LEN);
> +
> +               memcpy(sec.keys[idx], ext->key, len);
> +               sec.key_sizes[idx] = len;
>                 sec.flags |= (1 << idx);
>                 if (ext->alg == IW_ENCODE_ALG_WEP) {
>                         sec.encode_alg[idx] = SEC_ALG_WEP;
> --
> 2.30.1
>