Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp951729rwb; Tue, 29 Nov 2022 07:16:16 -0800 (PST) X-Google-Smtp-Source: AA0mqf6aUXDRp4Fm+wBWOh66RX8d8vXVahNjsZlXqWWPoTFDAbgMMDcLYS+63EDGnKxxLoEDlf1i X-Received: by 2002:a17:906:9c8a:b0:7bf:6698:d444 with SMTP id fj10-20020a1709069c8a00b007bf6698d444mr10020497ejc.548.1669734976614; Tue, 29 Nov 2022 07:16:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669734976; cv=none; d=google.com; s=arc-20160816; b=MwNV/gRwa1tHa1XW4pdBVcECA6F8wR9P2JC0IXiat1IYQe1lmEBr10mwtMcsoURSZq e+cPgooLnz7xG406Sv0t9OA1U6gh81L4VHMEoq22LTbGE+vdJEz3IiMA5PII9O/xSI4C DnOPdhM3e/uycVdg9eoEWfL0qZZgNdgyVLYBEh3Y4cxvVKjFt5Qf9wbFSolzob91IL7t Gn5KDR/JAk6O8CvKaIBqAh/NfA7MyCA0/NMohG48qj661RHFn6AwwuchClby54OpuySv 8ThXadEqzQTNe6pDfaFWl3qF2u0+eVpsfxrm3tUsvtr5nfPEoCfIEfR+iAVpB0BnRSzD aoIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=8gf5GhpcBACNp2wOH1j1vhVHJDChLCkVB3EAvyR7WlI=; b=teb8fhAml2S8FDUQapIO7lSSIPVIxfJqy9xcRg5dH5iwD5kUe97jezn2gXIgkgk/vI RWog3Ss9v/Fw3IYyG6pWyOSjexvC3hgkuNY8kUH66Hk6gMiN7iuZRcViatFJcQe9ehqj tZh5PCrm/KGz0xA5EsVpk1TlNGsa5qsfX5IeHIbDXr8v504WZp9TRoGiIJrijfkUqlkf dNR9gfPagij9KeQMtNr2V/pZC84QuNlX2HXiCpU06uz1b/nd7/OtoUOjDMw5GjQtnmQd FPLRP4D4nZ+TlQlTVX4xSeKhIL3nxVpafR/UTrQtZsbvDpBIt7aw1rsgkUfsqLNAHHZ3 QLhQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yonsei-ac-kr.20210112.gappssmtp.com header.s=20210112 header.b=Aifo53vD; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yonsei.ac.kr Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cs17-20020a170906dc9100b00780def41dc4si12608718ejc.527.2022.11.29.07.15.52; Tue, 29 Nov 2022 07:16:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yonsei-ac-kr.20210112.gappssmtp.com header.s=20210112 header.b=Aifo53vD; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yonsei.ac.kr Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234201AbiK2O74 (ORCPT + 67 others); Tue, 29 Nov 2022 09:59:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36932 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232155AbiK2O7y (ORCPT ); Tue, 29 Nov 2022 09:59:54 -0500 Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E77B4D2E7 for ; Tue, 29 Nov 2022 06:59:47 -0800 (PST) Received: by mail-pg1-x52e.google.com with SMTP id h193so13231985pgc.10 for ; Tue, 29 Nov 2022 06:59:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yonsei-ac-kr.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8gf5GhpcBACNp2wOH1j1vhVHJDChLCkVB3EAvyR7WlI=; b=Aifo53vDWDBlkXYnnaaPYQlj7uYCMvWuIYL9E6mBknAgDBzM8JOx7lti6Lx3NU2Ghs Kg62HBegg/fKY3hfvTP+jQnpmQx5KmidQBbYTNLxo/FqTJ0rktdgSw0/9cAsSbZpt8DP nRbH0Sq6ZlnEriaWOcLAG3mF3B9nhYX2oAtGVQQAKKspNsUpO4509ESmfYVm9hxkRziL 4MDEgt0pxE6AG4m4G7c2Vef4EAulgjYrNQS8rTvn4VIpeaz/kX9SKlHxcTf1JQstzTID K2E29n+PTey5xeODpnu7Gr3KFJheVCMCwjr5PrHuJu9b4rzZicwXi/y6ZftPmiUPmoOt hTGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8gf5GhpcBACNp2wOH1j1vhVHJDChLCkVB3EAvyR7WlI=; b=M7fJDiz2LV+XPa+dsGLmMd/BKYjMtMY6N8VFOHuEQ5Rl9m+E4jg2qE1WAV4/NYbbjL 6FbQyebQMSyCVoOscAP7YovIoTnSPtEraa5A1OrHLqSa7h3A6ke1Mikrd3cuyJ1JPIs3 u4fEMBxPDVsXlF7ech4W7en3D2ev8+RHv6uigNZQ4jN2w9mCVfN4LdPXBkTD5IDxryhB oM7DUHwkTEK1KfeWSardqzMAo7btAqT6932Jgi5DKNEOol+ZZU0pXmyidzR49nZ7KQku pZdHByTrLS2/rVHbynG+d/VDq0ck54fKYNgR9wbgtgRL2x6wriAwBgGDTE26kLkztYa1 Ic9Q== X-Gm-Message-State: ANoB5pncEIeupaOR/RLXUjmQMOvJ3R7oVIZA74HTF9CkXM3mAKjgknAd JKrwcyFPYX7SMKChQiRSYn0U2g== X-Received: by 2002:a62:be16:0:b0:56b:676e:1815 with SMTP id l22-20020a62be16000000b0056b676e1815mr38765144pff.66.1669733987460; Tue, 29 Nov 2022 06:59:47 -0800 (PST) Received: from localhost.localdomain ([165.132.118.52]) by smtp.gmail.com with ESMTPSA id u11-20020a17090341cb00b00186b55e3cd6sm11052781ple.133.2022.11.29.06.59.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Nov 2022 06:59:47 -0800 (PST) From: Minsuk Kang To: arend.vanspriel@broadcom.com Cc: linux-wireless@vger.kernel.org, kvalo@kernel.org, dokyungs@yonsei.ac.kr, jisoo.jang@yonsei.ac.kr, Minsuk Kang Subject: Re: [PATCH v2] wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads Date: Tue, 29 Nov 2022 23:56:33 +0900 Message-Id: <20221129145632.1072379-1-linuxlovemin@yonsei.ac.kr> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221116142952.518241-1-linuxlovemin@yonsei.ac.kr> References: <20221116142952.518241-1-linuxlovemin@yonsei.ac.kr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Minsuk Kang wrote: > v1->v2: Added a macro BRCMF_MAX_CHANSPEC_LIST > > .../broadcom/brcm80211/brcmfmac/cfg80211.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > index ae9507dec74a..bff3128c2f26 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > @@ -101,6 +101,9 @@ > #define BRCMF_ASSOC_PARAMS_FIXED_SIZE \ > (sizeof(struct brcmf_assoc_params_le) - sizeof(u16)) > > +#define BRCMF_MAX_CHANSPEC_LIST \ > + (BRCMF_DCMD_MEDLEN / sizeof(__le32) - 1) > + > struct brcmf_dump_survey { > u32 obss; > u32 ibss; > @@ -6840,6 +6843,13 @@ static int brcmf_construct_chaninfo(struct brcmf_cfg80211_info *cfg, > band->channels[i].flags = IEEE80211_CHAN_DISABLED; > > total = le32_to_cpu(list->count); > + if (total > BRCMF_MAX_CHANSPEC_LIST) { > + bphy_err(drvr, "Invalid count of channel Spec. (%u)\n", > + total); > + err = -EINVAL; > + goto fail_pbuf; > + } > + > for (i = 0; i < total; i++) { > ch.chspec = (u16)le32_to_cpu(list->element[i]); > cfg->d11inf.decchspec(&ch); > @@ -6985,6 +6995,13 @@ static int brcmf_enable_bw40_2g(struct brcmf_cfg80211_info *cfg) > band = cfg_to_wiphy(cfg)->bands[NL80211_BAND_2GHZ]; > list = (struct brcmf_chanspec_list *)pbuf; > num_chan = le32_to_cpu(list->count); > + if (num_chan > BRCMF_MAX_CHANSPEC_LIST) { > + bphy_err(drvr, "Invalid count of channel Spec. (%u)\n", > + num_chan); > + kfree(pbuf); > + return -EINVAL; > + } > + > for (i = 0; i < num_chan; i++) { > ch.chspec = (u16)le32_to_cpu(list->element[i]); > cfg->d11inf.decchspec(&ch); I have incorporated your review in this patch. Please let me know if any further changes are needed.