Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp2854971rdb; Mon, 4 Dec 2023 09:12:47 -0800 (PST) X-Google-Smtp-Source: AGHT+IH0e09hFMq89XYovUzDsDxHaT+L8+QGGYMDErvbnuLRzQmu8vLyT1p7FnWfEOrqBGzua2K6 X-Received: by 2002:a50:9b07:0:b0:54c:4837:7585 with SMTP id o7-20020a509b07000000b0054c48377585mr3726687edi.49.1701709967126; Mon, 04 Dec 2023 09:12:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701709967; cv=none; d=google.com; s=arc-20160816; b=SB0m0X3R6DMtajUOGkdyn77L/20Lo9BXOACPn1s5pfYk1gfV8Rw9J+ZSh5Cb2J257q Ivxx2HfCrNBid+X5CiwIbiYAR2IyOqjkVueCCnkvBNecDJ652QSHam7VFR55geQ284/h mFiNyFhXDv2LyLHqRNwd+8+G5Is69g4wIml+hCv9aNpaAO349o0rbhK6qBgJoDV+P/13 m/sP1h8hZUrdsY3qja1ZZSfhfvbVaKwSGn0t7766BYGfsGGg26llNJaPm1Z3UzlUG53U s11FojvrAssqmAeYqLuHbHb1sDrXQWwNMEAwnTrYjs+pibed6c86PIFcWr1A0Rz39Sbo kTuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=42uOBG7IVQ4RMjt2SIrXgm39GesqAceqOQ9GJ1TN044=; fh=21eLZgK/i/116EvLGlaXhTlwKWOt/jiyHFDYNn0RlOI=; b=xpjohowSb4+M7NozlfTybyvCPZj1oC+WSkZnn653VmTc5BgYXrc5RM2UmEMbzYUu5I 6UqlQNJPGmb19GecFQxc83psvPDuCXFf729p3PXEYIouJ/bxutEP9h17Zc4b0wXG6sCC bNfhGlLvFWPWI6d+TuOH0OSytzBDdzxqhmVAmRdT2138AAQ1hmEDLOzAyySXtDJkTFOT vLyxkhprkrF4m6x6FPRHlDPPzzyZFqlL8qEQfNOOIi9TY6vgk4cDMsyJrxswrQCsm2ar CfWmwsB4gb6Tw0ZWPaxuD9b0FJ2aOxk4p047jrFjJsGsqPZf10se7QMRjlhoKKrudD6+ iPOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b="K/jCvkp1"; spf=pass (google.com: domain of linux-wireless+bounces-386-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-wireless+bounces-386-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id w19-20020a05640234d300b0054cf80f1565si14601edc.539.2023.12.04.09.12.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Dec 2023 09:12:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-386-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b="K/jCvkp1"; spf=pass (google.com: domain of linux-wireless+bounces-386-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-wireless+bounces-386-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id D47B31F2107B for ; Mon, 4 Dec 2023 17:12:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BB8962557A; Mon, 4 Dec 2023 17:12:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b="K/jCvkp1" X-Original-To: linux-wireless@vger.kernel.org Received: from forward103c.mail.yandex.net (forward103c.mail.yandex.net [178.154.239.214]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 14323F2 for ; Mon, 4 Dec 2023 09:12:34 -0800 (PST) Received: from mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net [IPv6:2a02:6b8:c0c:2da4:0:640:8106:0]) by forward103c.mail.yandex.net (Yandex) with ESMTP id A6B8360039; Mon, 4 Dec 2023 20:12:02 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id 1CeGb6VOda60-LuZ2hoje; Mon, 04 Dec 2023 20:12:02 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1701709922; bh=42uOBG7IVQ4RMjt2SIrXgm39GesqAceqOQ9GJ1TN044=; h=Message-ID:Date:In-Reply-To:Cc:Subject:References:To:From; b=K/jCvkp1AmNi3UR20LPoXB964q6ierDpLj6OfpUoqXWXAz98d1QwApeNsZR1wIunt t2fHzS54BPNuSqUcRC8ILkP3j0mbU/pN8z3IPs/e+AgjjJ2BjG1RgrpNUumGHbjr6V MTIS00bt21Z7nzioHcTaKsY4AzJbregrlLzSmmVg= Authentication-Results: mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Dmitry Antipov To: =?UTF-8?q?J=C3=A9r=C3=B4me=20Pouiller?= Cc: Kalle Valo , linux-wireless@vger.kernel.org, Dmitry Antipov Subject: [PATCH] [v2] wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap() Date: Mon, 4 Dec 2023 20:11:28 +0300 Message-ID: <20231204171130.141394-1-dmantipov@yandex.ru> X-Mailer: git-send-email 2.43.0 In-Reply-To: <4726634.8F6SAcFxjW@pc-42> References: <4726634.8F6SAcFxjW@pc-42> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Since 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()' should check the return value before examining skb data. So convert the latter to return an appropriate error code and propagate it to return from 'wfx_start_ap()' as well. Compile tested only. Signed-off-by: Dmitry Antipov --- v2: adjust branches according to maintainer's suggestions --- drivers/net/wireless/silabs/wfx/sta.c | 42 ++++++++++++++++----------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/drivers/net/wireless/silabs/wfx/sta.c b/drivers/net/wireless/silabs/wfx/sta.c index 1b6c158457b4..537caf9d914a 100644 --- a/drivers/net/wireless/silabs/wfx/sta.c +++ b/drivers/net/wireless/silabs/wfx/sta.c @@ -336,29 +336,38 @@ static int wfx_upload_ap_templates(struct wfx_vif *wvif) return 0; } -static void wfx_set_mfp_ap(struct wfx_vif *wvif) +static int wfx_set_mfp_ap(struct wfx_vif *wvif) { struct ieee80211_vif *vif = wvif_to_vif(wvif); struct sk_buff *skb = ieee80211_beacon_get(wvif->wdev->hw, vif, 0); const int ieoffset = offsetof(struct ieee80211_mgmt, u.beacon.variable); - const u16 *ptr = (u16 *)cfg80211_find_ie(WLAN_EID_RSN, skb->data + ieoffset, - skb->len - ieoffset); const int pairwise_cipher_suite_count_offset = 8 / sizeof(u16); const int pairwise_cipher_suite_size = 4 / sizeof(u16); const int akm_suite_size = 4 / sizeof(u16); + const u16 *ptr; - if (ptr) { - ptr += pairwise_cipher_suite_count_offset; - if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) - return; - ptr += 1 + pairwise_cipher_suite_size * *ptr; - if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) - return; - ptr += 1 + akm_suite_size * *ptr; - if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) - return; - wfx_hif_set_mfp(wvif, *ptr & BIT(7), *ptr & BIT(6)); - } + if (unlikely(!skb)) + return -ENOMEM; + + ptr = (u16 *)cfg80211_find_ie(WLAN_EID_RSN, skb->data + ieoffset, + skb->len - ieoffset); + if (unlikely(!ptr)) + return -EINVAL; + + ptr += pairwise_cipher_suite_count_offset; + if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) + return -EINVAL; + + ptr += 1 + pairwise_cipher_suite_size * *ptr; + if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) + return -EINVAL; + + ptr += 1 + akm_suite_size * *ptr; + if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) + return -EINVAL; + + wfx_hif_set_mfp(wvif, *ptr & BIT(7), *ptr & BIT(6)); + return 0; } int wfx_start_ap(struct ieee80211_hw *hw, struct ieee80211_vif *vif, @@ -376,8 +385,7 @@ int wfx_start_ap(struct ieee80211_hw *hw, struct ieee80211_vif *vif, ret = wfx_hif_start(wvif, &vif->bss_conf, wvif->channel); if (ret > 0) return -EIO; - wfx_set_mfp_ap(wvif); - return ret; + return wfx_set_mfp_ap(wvif); } void wfx_stop_ap(struct ieee80211_hw *hw, struct ieee80211_vif *vif, -- 2.43.0