Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp6199412rdb; Thu, 14 Dec 2023 10:52:50 -0800 (PST) X-Google-Smtp-Source: AGHT+IFgWSufNLLS7WV3YdjFibVArLujwNkMK7Lfvk6AHElDuujI/zxhSYp0ulYrFnYzZleH+tWT X-Received: by 2002:a17:902:d490:b0:1d3:5701:374f with SMTP id c16-20020a170902d49000b001d35701374fmr1773986plg.105.1702579970439; Thu, 14 Dec 2023 10:52:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702579970; cv=none; d=google.com; s=arc-20160816; b=aHBv/ddrkLyFvmHKUA/UxIieMxFzBlXXur5PHT+4y4Y+KI+5lv92ieSuhf83jJWsOf Apsm4CRdddptNIENXpzuiIcGVIp4XYeySaWv2Q2jK4UKR87bB51DBW2FZQVA/yBApK1J 8Kj9oUagIHWULoolHw6BjtAHpoKbc53MVe19impVrcvK9w/wcD/7tCTEJj1TzrgQbZbw Kgkz+H7nKTgYNIhJ4pL+XLxwEYdEcT5QRGTteW+J1pOcuz/2ojqQhSxRyap0iR+MM+ql WVVYg3fyBaWmCZE3VQ4e3HWMoWS4X+Al1kjqlVBqPXoEK1YJSjsSjSF+lHczGkhSHiRl h16Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=e1YI7E4Yx3iebHdrqbE0xCVHhBGWXCdGqSCBozZBsUE=; fh=O/qKjVP8+y0QvTsBKi/TLTJCpc9exIdUlr/k14cCf8A=; b=cTRlfMLlvEYee3Ffi38vZ4BqAqNLFiXVbgdmc7AduZ/v6hMHqg/XKhWAarLXQqVi1j yE1v+CcSBfxUjHyR91IxCVx7LCV52bIKFFxUTpAWczntUIMGdTDOPsLledGAVa58r5uD CoJ4Cz8EiauTNYCQgxo47PzxgS/t8ShfLnEC7eJ4fhx+7fnPd5jS447tVsKovhntmGAK j7nlAmZP5hdpWs0q6ZYTMXFj+8yN91Bp80oTmyqGVRwBmvGkjfUVOeewpL8N5FXgNMxw vZ0CPU+7Pkcv/5DvhdcfZ68nFcnKF9C+9Sl6phfaL4Gj3S5oJHurCecJYrWWSSHaOKLi k7ag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=hWWLT2Xe; spf=pass (google.com: domain of linux-wireless+bounces-814-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-814-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id m9-20020a170902db0900b001cfbd3f38e0si12101768plx.359.2023.12.14.10.52.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Dec 2023 10:52:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-814-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=hWWLT2Xe; spf=pass (google.com: domain of linux-wireless+bounces-814-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-814-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id E785D282321 for ; Thu, 14 Dec 2023 18:52:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 600DF68B97; Thu, 14 Dec 2023 18:52:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="hWWLT2Xe" X-Original-To: linux-wireless@vger.kernel.org Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4E7D3111 for ; Thu, 14 Dec 2023 10:52:44 -0800 (PST) Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-a1f0616a15bso973065866b.2 for ; Thu, 14 Dec 2023 10:52:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1702579962; x=1703184762; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=e1YI7E4Yx3iebHdrqbE0xCVHhBGWXCdGqSCBozZBsUE=; b=hWWLT2XeGignVzPb0iJpIbuoU0A/aX1twdmJnpT8hpOvjTYPE7t/n6nXrvkfwXeT7F u0h4L4VwTMcmQNKRZeBjdCa+l4gm+/dqF3Qxhsf4+3qoT5oD+Qi7ueu3iAdBf8WkUgc1 P4Uf3nIZxNBB3f/rCzLfD2AgqEEEqlWQzNwmY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702579962; x=1703184762; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=e1YI7E4Yx3iebHdrqbE0xCVHhBGWXCdGqSCBozZBsUE=; b=n9rtoUCKXfcibGseoz/XqrlctHecFA7R2LGqyss97YkOvZXKCMUV4vsBY2304sGP4U 9McwjjWYMv2lACwPsHzyleOXR0XvFp5B0B08pIeITiyyZwu2kOF0rypRJwXnV/FovnnL eU1X8JqaAiS84jxGQY5L/BRigW8qOYvyxme/10pOAdxQgce7HFSOPoX86ST/GymUsiwN sz5foKna5Z9dFEUDo5YSQf3als/DjwMqY7hpw9dAC7j9BjYPFlJ3hMr7+NEuwIGtyqDT tsGHIGw9HaeGiROd3HnPxKtcPFIOJPvc0+XN+cNsmPVgqwjDXNBiLMQwSMJXwTYTYAwx WYsw== X-Gm-Message-State: AOJu0YyfL72EgI13IW+In93OBMGcyuBIy3owSOBd/l5t4CbFMon+70Hb xxBqNfPjYC58l5LChAcaJK1QClyv39ijClIq0ot4tg== X-Received: by 2002:a17:906:3519:b0:a00:152a:1ec4 with SMTP id r25-20020a170906351900b00a00152a1ec4mr5901582eja.11.1702579962248; Thu, 14 Dec 2023 10:52:42 -0800 (PST) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com. [209.85.221.47]) by smtp.gmail.com with ESMTPSA id vu8-20020a170907a64800b00a1d5c52d628sm9718832ejc.3.2023.12.14.10.52.41 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 14 Dec 2023 10:52:41 -0800 (PST) Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-336447f240cso1024232f8f.3 for ; Thu, 14 Dec 2023 10:52:41 -0800 (PST) X-Received: by 2002:a5d:5601:0:b0:333:2fd2:51fb with SMTP id l1-20020a5d5601000000b003332fd251fbmr4932153wrv.116.1702579961041; Thu, 14 Dec 2023 10:52:41 -0800 (PST) Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20231208234127.2251-1-yu-hao.lin@nxp.com> In-Reply-To: From: Brian Norris Date: Thu, 14 Dec 2023 10:52:29 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [EXT] Re: [PATCH v2] wifi: mwifiex: fix STA cannot connect to AP To: David Lin Cc: Francesco Dolcini , "linux-wireless@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "kvalo@kernel.org" , Pete Hsieh , "stable@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Dec 14, 2023 at 3:38=E2=80=AFAM David Lin wrot= e: > > From: Francesco Dolcini > > > > On Thu, Dec 14, 2023 at 02:22:57AM +0000, David Lin wrote: > > > > From: Brian Norris > > > > It probably wouldn't hurt to significantly write much of this > > > > driver, but at a minimum, we could probably use a few checks like t= his: > > > > > > > > cmd_size +=3D sizeof(struct host_cmd_tlv_mac_addr); > > > > if (cmd_size > MWIFIEX_SIZE_OF_CMD_BUFFER) > > > > return -1; > > > > // Only touch tlv *after* the bounds check. > > > > > > > > That doesn't need to block this patch, of course. > > > > > > > > Brian > > > > > > > > > > I will modify the code for next patch. > > > > I would suggest not modify this in this patch, we should fix all the co= de that > > is subjected to this potential issue. > > > > I would personally do a follow-up patch just to add the check to avoid > > overflowing the cmd buffer everywhere it is used. Right, there's tons of code that could potentially be affected, and this is definitely a separate patch. (Your feature only adds on to the existing issue, so these are separate logical changes.) > O.K. I will only change commit message. In fact, this TLV command is adde= d as the first one command. Well, it doesn't really matter than your TLV is "first" -- if there's an overflow, there's an overflow. Maybe the 8 bytes you're adding here are the necessary tipping point. I don't know without doing some kind of informal mathematics/proof. Brian