Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp4569970pxv; Tue, 6 Jul 2021 04:18:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy31/uBJrk6ws7TpGRe9zElU9ks94qe2juAisT+zBx4KK9z5LLaI9+sJKiDv5Rz3utheuwL X-Received: by 2002:a92:290b:: with SMTP id l11mr13334464ilg.71.1625570307110; Tue, 06 Jul 2021 04:18:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625570307; cv=none; d=google.com; s=arc-20160816; b=K/CaV5DmyTkX/z/goi5SfwdLjUGN+2fL94xVNxp4mzBeeIhOrchaLQsyOW9VsI5T5E HIMY7TDNVZ0CFLrwtAK3QCAwNAFRR7X9GsVuGugbrl+oYfiFg24ddaWmTaSp5r+1zJnC TdCMsZekor7Lzei4W3omq55sVb2z5KH7PQx2GIelVG/DFrwr9v7cVq3/Z4xKXEBV/vL/ bYUvn3MTyfCKVbiv00HTH/OcMsZaNVjZmZl235iLeFWGunwJLBzsmAleF+XQPAP3Cta0 X4Mt+1gwUhRErH8FEztJ5U+mJaWWby+UMb7fzPnez2xMZOl6Oz7+KCF8MyXnCzoQF6Mz SIYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=4kOsk94owB5VtUUpf2UeEY4Gts97jN89L0cMQbt9VdU=; b=BUt0lhIJOgO+Yu7iOPDWovU7V16omNPbhlCXJfh0sJohsf5B9EYe8YmWnrUX1PtoJu eBS1GCupZ7+juB5XUM77Gp4z3jmN455+QpbBvf3Z0BmZsC3XDfsFPcfMb0tpAcy8aV2m fPPD0mog7jbQ7ygSakMGxrJeG7h3eCxelh0Vj4enXeBkusJg7ktdsmZcydJUOEo6y16o uSCHlT3EfBEebe2YQLZxRcNEBrkOJznasjXgmzOaX/3cq8QwoLaEitXG4wUCYATJZHeL CI1RuICqWnDufLlc5jCtXBBDiV1tYdNa6fgrr+bpABUDl/UOVd7fy7jrMTGyG6ohmyNX 094w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=rV27JdFj; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l15si16542747iok.34.2021.07.06.04.18.15; Tue, 06 Jul 2021 04:18:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=rV27JdFj; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233120AbhGFLUF (ORCPT + 99 others); Tue, 6 Jul 2021 07:20:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:54822 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232881AbhGFLTO (ORCPT ); Tue, 6 Jul 2021 07:19:14 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0B59E61C6A; Tue, 6 Jul 2021 11:16:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1625570195; bh=iNcNQir2cRVMu562KVKOKY2dPsh8LJRdvfF8o5bwC1Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rV27JdFjsYlXHIyNPOphWbPJQlhoi0sp2dcUIBU2LIPDRm/y0IkbZJSJ8bdxxISGA r1M+qfIzGTIzGVKbONhsvUYhcGL/w/iLfYhaaCz5l5Vv9JTjRaPHZXha12oeevvLmC TI9Pk5dawJ8qIpiAGfn4iH/gm66HNHr36sBR27hVL2xxKp+6Po99IuEgGvfpsMq5Sl OZ3sQlva4JreVvmSSabZ0Mdbbn2ZzTIN4MdhLBc52ACtjz5190JQBXsHfWYk6L+IET aFtnRgkHXw7S2GfeTrlcmg+kqEcvyxK/xFX2XYp0N3LU+T7yEvpJAbs4WBW+uhYHvl 1/9bt+Ke/rZVw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Lee Gibson , Kalle Valo , Sasha Levin , linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.13 109/189] wl1251: Fix possible buffer overflow in wl1251_cmd_scan Date: Tue, 6 Jul 2021 07:12:49 -0400 Message-Id: <20210706111409.2058071-109-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210706111409.2058071-1-sashal@kernel.org> References: <20210706111409.2058071-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Lee Gibson [ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ] Function wl1251_cmd_scan calls memcpy without checking the length. Harden by checking the length is within the maximum allowed size. Signed-off-by: Lee Gibson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com Signed-off-by: Sasha Levin --- drivers/net/wireless/ti/wl1251/cmd.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c index 498c8db2eb48..d7a869106782 100644 --- a/drivers/net/wireless/ti/wl1251/cmd.c +++ b/drivers/net/wireless/ti/wl1251/cmd.c @@ -454,9 +454,12 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len, cmd->channels[i].channel = channels[i]->hw_value; } - cmd->params.ssid_len = ssid_len; - if (ssid) - memcpy(cmd->params.ssid, ssid, ssid_len); + if (ssid) { + int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN); + + cmd->params.ssid_len = len; + memcpy(cmd->params.ssid, ssid, len); + } ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd)); if (ret < 0) { -- 2.30.2