Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp4582378pxv; Tue, 6 Jul 2021 04:36:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxxoesX8bwxedcvNnxn0/QsSo3e8v8V3PelxCYGBXe/JkNBK5DIfmcEwC1lWGnAIyROpnv/ X-Received: by 2002:a92:c846:: with SMTP id b6mr13971079ilq.170.1625571376817; Tue, 06 Jul 2021 04:36:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625571376; cv=none; d=google.com; s=arc-20160816; b=GTGrFk9SJY4v41erEftA7Pac7WEwrINAMocjiEJBUcItEKzhirtzgYYaopTLkxqRHO H59K+OOShP9Rgztat49LAStzURgBEQ3WthsAUX9/nd9riRwRT8YruL/GCCY5zfv0C97l QHw7oatRj3VgNsg/Wt6XoAISG22NE5Ush+hwphBzjQkTrvJZqrL/BCc+du1wozYy7p69 rzzbS3Sw9h27okz5y+BCILVVQChi1SWKOK6F7vRfa5opi/gHgLEXdzSwRvpy3dPNYzKf zHBB57pjzp4nPR+/HR+8Bu3HxihC/NPXaGaKusBwYOoyFeVborl32jn72UqrnVUAl0ZG fUMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=qim3MuTq3ebNSTqCNs/dnfq5+JLP4uUjR/YRwTmUA08=; b=Bd5+WDhOcAk2/AxZFMnY5eZRAqmFk+Wa/4uAuZLVEcYpPLI5w/g5U2CLY3EFBCZVew XzA4qZI4TBH+z85WstdC8EhAc38b5lUNM2EMeK9it8PruwFWCHv+3NGKkH0kh9cfG0Z7 f9gi21UB6gkUavWY0xYUtG/UHp1dwH7wgAxRKpT5LYFZie6+vSWW+e+oALuknvdxQgQe TXzm+Cg73iTFUpcRwC+bxe/fIl0P1Do2G+8hfM8EAE4WIGRpBmSUn/YU7ueX2ptk6Tii YdAE9KvDXvHh1K2xwvO/3C/H7Ts0G/0ZftiAmpBKrJ0DP7Mjai04gVKo2pRkaHVRYpYq gryg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=WwPpKpR+; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z7si3246270iln.128.2021.07.06.04.36.04; Tue, 06 Jul 2021 04:36:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=WwPpKpR+; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235248AbhGFLhr (ORCPT + 99 others); Tue, 6 Jul 2021 07:37:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:47572 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237396AbhGFLgH (ORCPT ); Tue, 6 Jul 2021 07:36:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C2BD561D90; Tue, 6 Jul 2021 11:27:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1625570840; bh=DLMSh4j0AnmTMlzgxM/VboZ7+8wm4ULFHQ39d2I+ppE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WwPpKpR+px5HKk88o13tanPICXQbElDGr8bpfMLOwdyPzIPrGyGoiKJeQG/odpsb8 dPllXSDQ8H1c+JS1D/NDbISCpoqC+onJ8XqI9xHQGpRWOnXLNI3WNCKbesYhy1UBZY JQBs3qTJs8+nyDZPIf/BLQ71l/v6p6adDrqoxSquO/YfQ675XfEwtKGUIA7RBWCmii PPu6j5UzeC47X4zh/cjBY67sBxMvPTyFzGAHK9Ea987rbwzt6RntiPe9VLwE+UWGUb Abz8uQtNOLZTsfjoLQaSDTL7ww+2x57YmkaLGIqE12z7nJjilN0xRYlGkXXoh6DU1p 54SQAtTrYzbow== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Lee Gibson , Kalle Valo , Sasha Levin , linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.19 33/55] wl1251: Fix possible buffer overflow in wl1251_cmd_scan Date: Tue, 6 Jul 2021 07:26:16 -0400 Message-Id: <20210706112638.2065023-33-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210706112638.2065023-1-sashal@kernel.org> References: <20210706112638.2065023-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Lee Gibson [ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ] Function wl1251_cmd_scan calls memcpy without checking the length. Harden by checking the length is within the maximum allowed size. Signed-off-by: Lee Gibson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com Signed-off-by: Sasha Levin --- drivers/net/wireless/ti/wl1251/cmd.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c index 9547aea01b0f..ea0215246c5c 100644 --- a/drivers/net/wireless/ti/wl1251/cmd.c +++ b/drivers/net/wireless/ti/wl1251/cmd.c @@ -466,9 +466,12 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len, cmd->channels[i].channel = channels[i]->hw_value; } - cmd->params.ssid_len = ssid_len; - if (ssid) - memcpy(cmd->params.ssid, ssid, ssid_len); + if (ssid) { + int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN); + + cmd->params.ssid_len = len; + memcpy(cmd->params.ssid, ssid, len); + } ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd)); if (ret < 0) { -- 2.30.2