Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp7537377rwb; Wed, 23 Nov 2022 07:41:46 -0800 (PST) X-Google-Smtp-Source: AA0mqf5RZhGhRoyxnHg17e046uIeIIxYqxuAmtdIN/VLSissV3695uTJpRUe2j/2jFb8akz1IHeT X-Received: by 2002:a05:6a02:105:b0:477:8227:8dc3 with SMTP id bg5-20020a056a02010500b0047782278dc3mr9445600pgb.561.1669218106246; Wed, 23 Nov 2022 07:41:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669218106; cv=none; d=google.com; s=arc-20160816; b=SLq7eSdcvw5diEBw9UwEh+Bjp/cNiB2kf79dPh/SdEDFGs/6XL8EcFMCxsWef23SbI M1mIWO+UzZZqx0hO8yH6E///C9NnOajEkqSxklUiILIg6RKNhWjGBrsQCKzWZctp2iNA gfbApSHWoJpwoOJZKqyAxPpEI1aeGBHymaxp+tWWfc7Vmlmsq8u7kIH24JC40yYNKZAE wrFpgUGWIIgM1ZBdrk7OL6v9l+BCvcTAdIy1vd69kZZbzCBniIl8tk54aB43EGbnHnDz 3N0H4ldJy2O1xlCNCZ28SdktJuA6xeQGrraKIItH4XJz5Mmkmj6ZK4XaF/CIc0aRkxwD DPBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=iSfnO0oLUvR/YHRda4SUn9qpHU5N545eEU/vyWcDNSs=; b=bV+CZ412cneTlv5Ett/q1BMl96fWc+GQSOY63m1C9rcPIdWxoKy6Rm6Xa8Ynr4qJbF sj+sgQwMUnnt+UZuqbSdE/KIJ+4G0hINqblAFgFSmKM4U3W48UukEse6skgPJDwJmmj3 12o4uXlBkPwSTN5LaE6myR8w5ErNNH7hmBsPn03igz097cqPB4f/uij0NspAl4O+Q9D2 tn2pehY1m0rDLbTYIXL0nhHi5xzOwMPfg19ENnDFydLyga2w6yojaU9GSabTgMGJJlLl rIbBkcemXGJgTpNyXT8puleYSpgiCTLi7/NXVEv+KI/t+PHjdjzaGVGfI5DTDjDMrMtB dhOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@github.com header.s=google header.b="IlDj/ixS"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=github.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n8-20020a17090a670800b00218906bfbcbsi1713492pjj.172.2022.11.23.07.41.37; Wed, 23 Nov 2022 07:41:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@github.com header.s=google header.b="IlDj/ixS"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=github.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238250AbiKWPgA (ORCPT + 68 others); Wed, 23 Nov 2022 10:36:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49258 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238042AbiKWPf7 (ORCPT ); Wed, 23 Nov 2022 10:35:59 -0500 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7440473B8F for ; Wed, 23 Nov 2022 07:35:58 -0800 (PST) Received: by mail-qt1-x82a.google.com with SMTP id s4so11431915qtx.6 for ; Wed, 23 Nov 2022 07:35:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iSfnO0oLUvR/YHRda4SUn9qpHU5N545eEU/vyWcDNSs=; b=IlDj/ixSzEJ7qI4m70X7ywNtqUijdynODGQNoDHpdHsQSmUm6IibulgOqhx759hfRc sgSrp+r+zd4DCCkWjFB/Vkc+YMKx+3yOVb+kzP8gE+ZPnOsAS4o7WRzuQN28tJGAI3cY 1W17x3r9gfraWtFirC+ITMytn3OCwio/4uV3sNhcAcW5+IWEQopYi2Ja//Qnhr3lqtW3 TVlTFzr5l7X71GWGscGEkKWsVw5wrU9MheWr/odcG9RO1zsheBRvo9KU8ROo+v2EPswG j3HqorxenMDaGKyclRj2kMSq2tdwEcTgY3shXOR17m/nspYoQN5dyHjaj8LGrF+CxpE6 zCEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iSfnO0oLUvR/YHRda4SUn9qpHU5N545eEU/vyWcDNSs=; b=chPU52ntAH33Csr3QMFkxuVrbFwJRA945V31l0LGFW0uyGRhoEWZ88CgllcgPyxyI/ c9PEjJQqVpS3mc6Wx2QHSzrBZvE2CIi7Wp0cjUfq3ajCGhUa4b2s+ALnAWJ4uDDT+t7d skW5Hlyb9fSgYrAivFrnROO7tLRW6CFBhZCOzAgc2oE48wMIVqO7DFav17UXgKA6xAqe 81DK/Pjy/+qCNLfgZgEQApdwr9XXtKgzJ0rOBC+W58X31fJFq1XxOZWo6Hxjk0ycRWGw r0x2uwpcgi6S8sYj+n0PJB0JwEEV0Ybd9Uwp52ihYn3B/4agyGbpLMxpXzuOgA9ULPQX PbuA== X-Gm-Message-State: ANoB5pncGCttxkfxms6wNKgMyge5JNnmE6+7pEGSj3rMp3WDC1mdUEPU rzprwF3w8hCbPdP5KbbsoKY8gqVgPDr3h453XsffMuRtQ0g5TualeJdtQUYNoen7y2GM9U+XTz4 mjUxmRyh7xpl3ua4gjkxH2C6LNNF3xd6nicWnBHOE6Alh3zqopD84v3XQyUtXbDc7cd9wSVkYEN BghHeJYKvm7fA= X-Received: by 2002:ac8:7343:0:b0:3a4:c30b:c640 with SMTP id q3-20020ac87343000000b003a4c30bc640mr8314182qtp.25.1669217757151; Wed, 23 Nov 2022 07:35:57 -0800 (PST) Received: from localhost.localdomain (c-73-218-151-107.hsd1.ct.comcast.net. [73.218.151.107]) by smtp.gmail.com with ESMTPSA id u12-20020a37ab0c000000b006bb29d932e1sm11990296qke.105.2022.11.23.07.35.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Nov 2022 07:35:56 -0800 (PST) From: Phil Turnbull To: linux-wireless@vger.kernel.org Cc: ajay.kathat@microchip.com, claudiu.beznea@microchip.com, kvalo@kernel.org, Phil Turnbull Subject: [PATCH 4/4] wifi: wilc1000: validate number of channels Date: Wed, 23 Nov 2022 10:35:43 -0500 Message-Id: <20221123153543.8568-5-philipturnbull@github.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221123153543.8568-1-philipturnbull@github.com> References: <20221123153543.8568-1-philipturnbull@github.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org There is no validation of 'e->no_of_channels' which can trigger an out-of-bounds write in the following 'memset' call. Validate that the number of channels does not extends beyond the size of the channel list element. Signed-off-by: Phil Turnbull Tested-by: Ajay Kathat Acked-by: Ajay Kathat --- .../wireless/microchip/wilc1000/cfg80211.c | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c index c4d5a272ccc0..b545d93c6e37 100644 --- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c +++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c @@ -981,19 +981,29 @@ static inline void wilc_wfi_cfg_parse_ch_attr(u8 *buf, u32 len, u8 sta_ch) } if (ch_list_idx) { - u16 attr_size; - struct wilc_ch_list_elem *e; - int i; + u16 elem_size; ch_list = (struct wilc_attr_ch_list *)&buf[ch_list_idx]; - attr_size = le16_to_cpu(ch_list->attr_len); - for (i = 0; i < attr_size;) { + /* the number of bytes following the final 'elem' member */ + elem_size = le16_to_cpu(ch_list->attr_len) - + (sizeof(*ch_list) - sizeof(struct wilc_attr_entry)); + for (unsigned int i = 0; i < elem_size;) { + struct wilc_ch_list_elem *e; + e = (struct wilc_ch_list_elem *)(ch_list->elem + i); + + i += sizeof(*e); + if (i > elem_size) + break; + + i += e->no_of_channels; + if (i > elem_size) + break; + if (e->op_class == WILC_WLAN_OPERATING_CLASS_2_4GHZ) { memset(e->ch_list, sta_ch, e->no_of_channels); break; } - i += e->no_of_channels; } } -- 2.34.1