Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp4583148pxv; Tue, 6 Jul 2021 04:37:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTpcaji2J4A3l49FQ5OLn2W5j+9dyZlOWQ1B02wNDp+pVjHOb+7qR1VJnL6yEse5QdiE+f X-Received: by 2002:a5d:8511:: with SMTP id q17mr15760411ion.98.1625571350182; Tue, 06 Jul 2021 04:35:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625571350; cv=none; d=google.com; s=arc-20160816; b=ncU67PCI9vWtb35VWqEn52nX7s7rninnZn4YWe6O07E/9ypAlSlbwoJYsko5zveZbf ZOgu2gyP7mjD6hZEAoOfKempT8k3uNzncP9qcrbdQHDVjykgzrXyLZTvXdoFDnnfJCWu +yMi20N0Ec3v5CsXIllpcKJ2h9eFYzFNBoo9FDm1qHGCi+M/gZ0A7wSREbAXExQkmrra LBMZx7goPWmPQsU9QONbT04p2AIp2uzDieD5ypI2EajV8MfqL20SXMA5ZjfE1PjukFOD s06ybrMBKJqCCO3AD7xALInDUtn0VELOYdk5fevq3ERY5EmgVCXgy9mW/i1i88ZxhCgv cvEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=uXo7O8qE5OrOYDje8Fub7OxTOHBtFInNz7FgGLaezpI=; b=AYtX9oUat3OIWpIDIUn5B9TI9xjwb8Gn8kO1RHyyz6Zy1dTXQ+oWTlkSr+rJRjXHLj BwX3vk2edPj2BJ1Du5hPy9QiVvDKGOzGq2m3WWbbtu9K/uV/Y+dbtqksBITlrk0yQuQY Hof9GOiHMhcS5aq9X0GpIJjs9266NOdcu4ZhBjLCb/xcZwjRbYeNHYJxOzxeg6/uqDfO qsCy87vHKNA+9lJNn5bPrKoJYU4Clr9a2tSQldIa2BqSQ7WP0Ds/FhzpUSkOhs2R4gea efSHyFJ1BS6Q9vsxb0HHybKCFyNvr7cDXNXm3NMxTXWaVgkHro2EVc/dB9CGIuoM+rbf UUXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=IQygBGF0; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v9si18626199ilu.9.2021.07.06.04.35.37; Tue, 06 Jul 2021 04:35:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=IQygBGF0; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237957AbhGFLhx (ORCPT + 99 others); Tue, 6 Jul 2021 07:37:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:47570 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234629AbhGFLgc (ORCPT ); Tue, 6 Jul 2021 07:36:32 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id BEB8D61DF0; Tue, 6 Jul 2021 11:29:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1625570955; bh=JVs+USAqbQwyWosver9IEvaSkLoC7t8CAAanoNskeOs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IQygBGF0aTBi71QHO4d1pjCQeYGUOh6+xbrtUdai9aSPx4Hck3JjwSpKttwblOo0+ 7BG0EEFTWEJrw8J6p/gxl5L7C0rBLzd4bxdbY26OjDANMeyaGD3zrtPLpG3yEFj8kO q5CyTKr1XoIBJmAx165MsWID9Ps1ErE0ceTejQq5MiP3zHQqJPJU7vxG1QeUgGU3FL ai+sCEeAupqFnViJVfDeCuJTglZ4juFzxrQQZx0lrHAIXjJd48mjVXUypXzd+B8RE+ EuMlPJ7Z9Y8yLEHiGZUuEhANyIEV52eFrG16aVoNOkGpG2FH3CfMWV/56hAZ9NgDFT yIHY3olkJ7Nsw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Lee Gibson , Kalle Valo , Sasha Levin , linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.9 22/35] wl1251: Fix possible buffer overflow in wl1251_cmd_scan Date: Tue, 6 Jul 2021 07:28:34 -0400 Message-Id: <20210706112848.2066036-22-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210706112848.2066036-1-sashal@kernel.org> References: <20210706112848.2066036-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Lee Gibson [ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ] Function wl1251_cmd_scan calls memcpy without checking the length. Harden by checking the length is within the maximum allowed size. Signed-off-by: Lee Gibson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com Signed-off-by: Sasha Levin --- drivers/net/wireless/ti/wl1251/cmd.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c index ede31f048ef9..247f4310a38f 100644 --- a/drivers/net/wireless/ti/wl1251/cmd.c +++ b/drivers/net/wireless/ti/wl1251/cmd.c @@ -465,9 +465,12 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len, cmd->channels[i].channel = channels[i]->hw_value; } - cmd->params.ssid_len = ssid_len; - if (ssid) - memcpy(cmd->params.ssid, ssid, ssid_len); + if (ssid) { + int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN); + + cmd->params.ssid_len = len; + memcpy(cmd->params.ssid, ssid, len); + } ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd)); if (ret < 0) { -- 2.30.2