Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp208792pxb; Sat, 10 Apr 2021 00:00:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzHjOJpkLagVzW/gfOZ/KSsyf7uUxFGlU88U5Qo7wH/u/yUi9HJLDVPmuz7Ey9tCQxlDv20 X-Received: by 2002:a17:902:bb83:b029:e5:dacc:9035 with SMTP id m3-20020a170902bb83b02900e5dacc9035mr16095495pls.80.1618038049897; Sat, 10 Apr 2021 00:00:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618038049; cv=none; d=google.com; s=arc-20160816; b=AAqZmyVCq6LsEjznLNMDbU3quQse3QJrj2fIznyWErALncBhUbRZWAFyBZexE6deex 2iDEqUEHt+LzvWbd3+i3X4PWBX8mAJhOyaygUlD4ePG+lgnCS4PrsASV2BdfLdGfbVoP kGyN9R+B2/geEkme429L/YqVOgIgCV6MGf841NKEHyfnfmPWAut2RMPop44VqTOrSYs3 hlpLRq+4z75qFNuiWzpexA8yEVuUkGSbOEKX0vwscoMnpgd8+wko3muQVp7C+PdggAlN zd9QtwX0bGfEse8MHXayNMyBKdOkETAFmwy/ann8ayGDs+CWH3M2HB+VIULfP0/lw7+L RSzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=y+qU2K2MTxemBysOAaAel00sT0k/PXV6IjQavtJSZP4=; b=Pew5g6HIlmE5vvCGkcISi0W414qc1zFd5Olqhh3E55X+CHwEN5eX+hhrl33Ku3iCw9 eSl1R67yHHXlBs6T1ARdVhQqzVd8yMzO7KYXVpGb8YzesREoDAe7OOtwl4ROcnsQOPga cRENcKvx6SK35PYuMgF/VJsNHUMfOYe9pDGRQmSQZYwl4swnb1BH5M+hgqJ7HqQO8aEI eXGzQW7yODYQwKxy7gF7LFUIm7kZVT0MFp634v6WQSzlXUkLwHReVxLmNEZa6Kod5i6M JqoVEqQoSbqEn9OO/H1u5OjdplT43fPIkvQpY7ds9qKKxR9JiBJAAJ8atWTHzJoFphHv 1yAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XilqbwzT; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t12si3816964pgi.224.2021.04.10.00.00.27; Sat, 10 Apr 2021 00:00:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XilqbwzT; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233606AbhDJHA2 (ORCPT + 99 others); Sat, 10 Apr 2021 03:00:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45100 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229537AbhDJHAZ (ORCPT ); Sat, 10 Apr 2021 03:00:25 -0400 Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E4F0C061762; Sat, 10 Apr 2021 00:00:11 -0700 (PDT) Received: by mail-io1-xd32.google.com with SMTP id v26so8182968iox.11; Sat, 10 Apr 2021 00:00:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=y+qU2K2MTxemBysOAaAel00sT0k/PXV6IjQavtJSZP4=; b=XilqbwzTDmRoEmZ6zQy+MRJEIeYKyOHHAC16Zl3Us6SEoaR1anZ4fT5hvmEMIjIF+Z 7LIT3HjQJH9SEKIBcYLK8qE26xt9DS9noGPt71wHnKgJ2IGqfvXIUv62ajy92+6SWLRH xaHkniLAV9eEnwhRwW8h9mFBzGA359itdV/k0EmtrxzOEJJHz+UR3X6uTgV9B4hLyPVG IeUSdS/D1plsFRtEZYytDk7bogOy4geia81tn3VpT/pp9X5buJB9yPoujgs9YcSXsy+O EUwPdbGdteAaXj4FW2PfHASjtFO25YqSIYNh6YiHE/BsM9C/LPbxg2dxpKI4QctbKYbB abWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=y+qU2K2MTxemBysOAaAel00sT0k/PXV6IjQavtJSZP4=; b=qfRB7CckvF+SY2/Q5sLsf7seQXZZcSY5JH5n2QbRjM7i6Ixek22mJ9xZG7vrj5h4Yy 49CZOq9vmxP9dojJcLW67OiL4fFYsprCitaQntprQBs12CGr4wS+WzbtHzfpRHn7QOJE lbs/TCvspcrHkkozt1CJAa5WCOXxFis83AziMUlU+h0pjOVbfRLk/KqPXFplxXmYSofU WP1TdkQLoBLQaaFf4d0fKHh4g2C6E5yHS/kH8e5E7f6aR+l4AClVvLgSztg1fDcuxk7D V/KG3M58YV+8Z1I7SLQzIv6K79mp+S/TIHRQ3jbU8qvprBJC/U0xl9jVkc2NL3V6bqeu ZKsg== X-Gm-Message-State: AOAM531VD6ZBliPTCUzcbi715Qd7Pxm88qY7UIN24Rjg6N5bYZbUUHEV 6Dim7wdvAeGuL3OVVfSf5xToE6icl4gPGpIEvSI= X-Received: by 2002:a02:7410:: with SMTP id o16mr18527890jac.37.1618038011076; Sat, 10 Apr 2021 00:00:11 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Stanislav Yakovlev Date: Sat, 10 Apr 2021 10:59:49 +0400 Message-ID: Subject: Re: [PATCH] ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() To: Dan Carpenter Cc: Kalle Valo , Jeff Garzik , James Ketrenos , wireless , kernel-janitors@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Tue, 2 Mar 2021 at 15:16, Dan Carpenter wrote: > > The "ext->key_len" is a u16 that comes from the user. If it's over > SCM_KEY_LEN (32) that could lead to memory corruption. > > Fixes: e0d369d1d969 ("[PATCH] ieee82011: Added WE-18 support to default wireless extension handler") > Signed-off-by: Dan Carpenter > --- > drivers/net/wireless/intel/ipw2x00/libipw_wx.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > Cc: stable@vger.kernel.org Acked-by: Stanislav Yakovlev Thanks, and sorry for the long review. Stanislav. > diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_wx.c b/drivers/net/wireless/intel/ipw2x00/libipw_wx.c > index a0cf78c418ac..27f15fa40528 100644 > --- a/drivers/net/wireless/intel/ipw2x00/libipw_wx.c > +++ b/drivers/net/wireless/intel/ipw2x00/libipw_wx.c > @@ -633,8 +633,10 @@ int libipw_wx_set_encodeext(struct libipw_device *ieee, > } > > if (ext->alg != IW_ENCODE_ALG_NONE) { > - memcpy(sec.keys[idx], ext->key, ext->key_len); > - sec.key_sizes[idx] = ext->key_len; > + int len = min_t(int, ext->key_len, SCM_KEY_LEN); > + > + memcpy(sec.keys[idx], ext->key, len); > + sec.key_sizes[idx] = len; > sec.flags |= (1 << idx); > if (ext->alg == IW_ENCODE_ALG_WEP) { > sec.encode_alg[idx] = SEC_ALG_WEP; > -- > 2.30.1 >