Received: by 2002:a05:6358:51dd:b0:131:369:b2a3 with SMTP id 29csp761021rwl; Thu, 10 Aug 2023 00:47:44 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGDhvk8kHeVQH1hqhMOwQaMwo1aZYsmW23+wXl7n0UIGvJG7JeyyAk6ClqD8PyANZ/be/0b X-Received: by 2002:a05:6358:e48c:b0:139:f5e9:4463 with SMTP id by12-20020a056358e48c00b00139f5e94463mr2454717rwb.2.1691653663831; Thu, 10 Aug 2023 00:47:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691653663; cv=none; d=google.com; s=arc-20160816; b=xi5y5j/Pdnr3kvgOQFhnVpvC0uKRYmh+fqO2U43+KbOFoPAlfn1fjF79yoaGRSLjwh LfYgdjlHPq7StATfUCQAZ0F+bNkjHXkLN4mYc8DFxj69COrpcbpDxgTKe3km8+Tq/FoX j6ZnuW7h7V+toQZL4LbCg3eaSRGF+vdTZT9T22hUHhjlfJOSWo1Y7gUtjGgKvhj8wsZk +OFveTejnvvvuFu6Jk9E5kUz/9DzerlpwtgM3U+i1BoDPXNATQ+7BRFUgpjTrsfHZnYw DvApadqECIeLyR4c6X6u5hHF9TbXuGgDo/GzDbUsY9IaVK337Q9gt7qocwAyVwEHQnfc xPHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=N+D41Q+QlpeYyVXtZk3ZG0P4glsZ0DBFuobGucfdMBw=; fh=9gPiwnLJGtlCycRzrBjb/8cnNq5tUasYaSlce3cTo98=; b=RqekrmhqyezCF4O7ljQoIL0JGMVvjmfeiP/AWsx3I9txRjAi7KwTMqpP7rrIxnkczr s6aQvocN7k9K5IujDCfmrbEewosCabDXNwAHY1XyjysUhRtu/M4UpA4SYMa20cdpA+2u VYcEV6Rz2le9QiDZ2B2DrOraoSLiLZb5euG+isJ7Zcj+pjEdgaWpbdTtN2kTvV41tw/j us6FnjwIpqaEwMO1eHdkF7Jd0t6OmJLm4Ju3rrPc0b1q+0vc9AyaPlHRHrH/RbONbJai 0ycnV6M945UjmCujnmCf3vwMOWUtYqCCM/0ACtgBq4mOCObgsXMb46LZyg1WVQWbIYXj m41w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b=FcglCNN4; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s128-20020a637786000000b0056345699503si1107347pgc.2.2023.08.10.00.47.30; Thu, 10 Aug 2023 00:47:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b=FcglCNN4; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230030AbjHJHdE (ORCPT + 56 others); Thu, 10 Aug 2023 03:33:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44136 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229518AbjHJHdD (ORCPT ); Thu, 10 Aug 2023 03:33:03 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:242:246e::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 14893A3 for ; Thu, 10 Aug 2023 00:33:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sipsolutions.net; s=mail; h=MIME-Version:Content-Transfer-Encoding: Content-Type:References:In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-To: Resent-Cc:Resent-Message-ID; bh=N+D41Q+QlpeYyVXtZk3ZG0P4glsZ0DBFuobGucfdMBw=; t=1691652783; x=1692862383; b=FcglCNN4TwsnV8XFrVW0iqF73rAPe14AjUb5HYYq9y1crhh exp6kW3nFcAc0+YtxAwIur2GyHE2Kk+XPlqA0s5bzTvNTrHX7BCYG6ENYuniIQsTuiRWXzJIczn4k kh9xCrAfT/8JU101D8xko7aNpIVlhimLU9G7hUL4NHCVUaKE5KQpvhVaF8RhRjv0GPPJ6de6riDqx ZESG0Gu3/jRTCbAbCGWvDFA8AWaVh+s1xh5HhuIt6XPFNUHa2jMk3IkeLvKm4pGnmj2JTSJdBdUAy t53GQPqLfKqV0lBqUXmSGDtujt9IDc8rVZCbzSrKdpK2F2B00SKFMuoLd1G2GIcw==; Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1qU0AF-00GLV9-2C; Thu, 10 Aug 2023 09:32:59 +0200 Message-ID: <4933455600e633c8cbafc0fc3180a7023894f8c9.camel@sipsolutions.net> Subject: Re: [PATCH v8] wifi: mwifiex: Fix OOB and integer underflow when rx packets From: Johannes Berg To: Polaris Pi , matthewmwang@chromium.org, briannorris@chromium.org, kuba@kernel.org, kvalo@kernel.org Cc: linux-wireless@vger.kernel.org Date: Thu, 10 Aug 2023 09:32:57 +0200 In-Reply-To: <20230809215817.3080280-1-pinkperfect2021@gmail.com> References: <20230809215817.3080280-1-pinkperfect2021@gmail.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 (3.48.4-1.fc38) MIME-Version: 1.0 X-malware-bazaar: not-scanned X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Wed, 2023-08-09 at 21:58 +0000, Polaris Pi wrote: > Make sure mwifiex_process_mgmt_packet, > mwifiex_process_sta_rx_packet and mwifiex_process_uap_rx_packet, > mwifiex_uap_queue_bridged_pkt and mwifiex_process_rx_packet > not out-of-bounds access the skb->data buffer. >=20 > Fixes: 2dbaf751b1de ("mwifiex: report received management frames to cfg80= 211") > Signed-off-by: Polaris Pi > --- > V5: Follow chromeos comments: preserve the original flow of mwifiex_proce= ss_uap_rx_packet > V6: Simplify check in mwifiex_process_uap_rx_packet > V7: Fix drop packets issue when auotest V6, now pass manual and auto test= s > V8: Fix missing return after free skb >=20 Arguably, as Brian also said, that missing return is completely unrelated and should perhaps be a separate commit? johannes