From: Arend van Spriel <arend.vanspriel@broadcom.com>
To: Kalle Valo <kvalo@codeaurora.org>
Cc: Kevin Cernekee <cernekee@chromium.org>,
franky.lin@broadcom.com, brcm80211-dev-list.pdl@broadcom.com,
linux-wireless@vger.kernel.org, mnissler@chromium.org
Subject: Re: [PATCH V2 1/3] brcmfmac: Avoid possible out-of-bounds read
Date: Tue, 12 Sep 2017 09:36:52 +0200 [thread overview]
Message-ID: <59B78E94.5040909@broadcom.com> (raw)
In-Reply-To: <87tw08mpq1.fsf@purkki.adurom.net>
On 9/12/2017 7:48 AM, Kalle Valo wrote:
> Arend van Spriel <arend.vanspriel@broadcom.com> writes:
>
>> On 09-09-17 21:30, Kevin Cernekee wrote:
>>> In brcmf_p2p_notify_rx_mgmt_p2p_probereq(), chanspec is assigned before
>>> the length of rxframe is validated. This could lead to uninitialized
>>> data being accessed (but not printed). Since we already have a
>>> perfectly good endian-swapped copy of rxframe->chanspec in ch.chspec,
>>> and ch.chspec is not modified by decchspec(), avoid the extra
>>> assignment and use ch.chspec in the debug print.
>>>
>>> Suggested-by: Mattias Nissler <mnissler@chromium.org>
>>> Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
>>> Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
>>> ---
>>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 3 +--
>>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>>
>>>
>>> V1->V2: Clarify changelog re: whether the uninitialized data is printed.
>>
>> This patch and the others in this series look fine to me.
>
> Should these go to v4.14?
I have no strong opinion. These are certainly improvements, but it does
not seem an -rc fix to me. Within this series I would say patch 3/3 adds
an additional sanity check in the event processing against an attack so
you may consider adding just that one to v4.14 and tag it for stable, ie.:
Cc: stable@vger.kernel.org # v3.8.x
Regards,
Arend
next prev parent reply other threads:[~2017-09-12 7:36 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-09 19:30 [PATCH V2 1/3] brcmfmac: Avoid possible out-of-bounds read Kevin Cernekee
2017-09-09 19:30 ` [PATCH V2 2/3] brcmfmac: Delete redundant length check Kevin Cernekee
2017-09-09 19:30 ` [PATCH V2 3/3] brcmfmac: Add check for short event packets Kevin Cernekee
2017-09-12 7:45 ` [V2,3/3] " Kalle Valo
2017-09-10 18:50 ` [PATCH V2 1/3] brcmfmac: Avoid possible out-of-bounds read Arend van Spriel
2017-09-12 5:48 ` Kalle Valo
2017-09-12 7:36 ` Arend van Spriel [this message]
2017-09-12 7:47 ` Kalle Valo
2017-09-12 7:59 ` Arend van Spriel
2017-09-12 8:05 ` Kalle Valo
2017-09-12 8:18 ` Arend van Spriel
2017-09-12 12:33 ` Greg KH
2017-09-13 4:20 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59B78E94.5040909@broadcom.com \
--to=arend.vanspriel@broadcom.com \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=cernekee@chromium.org \
--cc=franky.lin@broadcom.com \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
--cc=mnissler@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.