From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Takashi Iwai <tiwai@suse.de>,
huangwen <huangwen@venustech.com.cn>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 04/12] mwifiex: Fix possible buffer overflows at parsing bss descriptor
Date: Wed, 26 Jun 2019 20:42:26 -0400 [thread overview]
Message-ID: <20190627004236.21909-4-sashal@kernel.org> (raw)
In-Reply-To: <20190627004236.21909-1-sashal@kernel.org>
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 ]
mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
a couple places without checking the destination size. Since the
source is given from user-space, this may trigger a heap buffer
overflow.
Fix it by putting the length check before performing memcpy().
This fix addresses CVE-2019-3846.
Reported-by: huangwen <huangwen@venustech.com.cn>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mwifiex/scan.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c
index fb98f42cb5e7..6f789899c888 100644
--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -1219,6 +1219,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
}
switch (element_id) {
case WLAN_EID_SSID:
+ if (element_len > IEEE80211_MAX_SSID_LEN)
+ return -EINVAL;
bss_entry->ssid.ssid_len = element_len;
memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
element_len);
@@ -1228,6 +1230,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
break;
case WLAN_EID_SUPP_RATES:
+ if (element_len > MWIFIEX_SUPPORTED_RATES)
+ return -EINVAL;
memcpy(bss_entry->data_rates, current_ptr + 2,
element_len);
memcpy(bss_entry->supported_rates, current_ptr + 2,
--
2.20.1
next prev parent reply other threads:[~2019-06-27 0:42 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-27 0:42 [PATCH AUTOSEL 4.4 01/12] Input: elantech - enable middle button support on 2 ThinkPads Sasha Levin
2019-06-27 0:42 ` [PATCH AUTOSEL 4.4 02/12] samples, bpf: fix to change the buffer size for read() Sasha Levin
2019-06-27 0:42 ` [PATCH AUTOSEL 4.4 03/12] mac80211: mesh: fix RCU warning Sasha Levin
2019-06-27 0:42 ` Sasha Levin [this message]
2019-06-27 0:42 ` [PATCH AUTOSEL 4.4 05/12] mwifiex: Abort at too short BSS descriptor element Sasha Levin
2019-06-27 0:42 ` [PATCH AUTOSEL 4.4 06/12] dt-bindings: can: mcp251x: add mcp25625 support Sasha Levin
2019-06-27 0:42 ` [PATCH AUTOSEL 4.4 07/12] can: mcp251x: add support for mcp25625 Sasha Levin
2019-06-27 0:42 ` [PATCH AUTOSEL 4.4 08/12] Input: imx_keypad - make sure keyboard can always wake up system Sasha Levin
2019-06-27 0:42 ` [PATCH AUTOSEL 4.4 09/12] ARM: davinci: da850-evm: call regulator_has_full_constraints() Sasha Levin
2019-06-27 0:42 ` [PATCH AUTOSEL 4.4 10/12] ARM: davinci: da8xx: specify dma_coherent_mask for lcdc Sasha Levin
2019-06-27 0:42 ` [PATCH AUTOSEL 4.4 11/12] md: fix for divide error in status_resync Sasha Levin
2019-06-27 0:42 ` [PATCH AUTOSEL 4.4 12/12] bnx2x: Check if transceiver implements DDM before access Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190627004236.21909-4-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=huangwen@venustech.com.cn \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.