Re: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nicolai Stange <nstange@suse.de>
To: Kalle Valo <kvalo@codeaurora.org>
Cc: huangwenabc@gmail.com, linux-wireless@vger.kernel.org,
	Takashi Iwai <tiwai@suse.de>, Nicolai Stange <nstange@suse.de>,
	Miroslav Benes <mbenes@suse.cz>
Subject: Re: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor
Date: Thu, 09 Jan 2020 15:12:24 +0100	[thread overview]
Message-ID: <87woa04t2v.fsf@suse.de> (raw)
In-Reply-To: <20191122052917.11309-1-huangwenabc@gmail.com>

Hi,

the patch queued as e5e884b42639 ("libertas: Fix two buffer overflows at
parsing bss descriptor") at the wireless tree doesn't look completely
correct to me.

This hunk here...

diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
index 57edfada0665..c9401c121a14 100644
--- a/drivers/net/wireless/marvell/libertas/cfg.c
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
@@ -1775,9 +1782,12 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
 	if (!rates_eid) {
 		lbs_add_rates(cmd.bss.rates);
 	} else {
-		int hw, i;
-		u8 rates_max = rates_eid[1];
-		u8 *rates = cmd.bss.rates;
+		rates_max = rates_eid[1];
+		if (rates_max > MAX_RATES) {
+			lbs_deb_join("invalid rates");
+			goto out;

... makes the error path skip over the rcu_read_unlock() following later
in the code and leaves the RCU read section unbalanced.

Also, I'm wondering if ret should perhaps get set to some -Exxxx in case
of rates_max > MAX_RATES?

Thanks,

Nicolai


+		}
+		rates = cmd.bss.rates;
 		for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
 			u8 hw_rate = lbs_rates[hw].bitrate / 5;
 			for (i = 0; i < rates_max; i++) {

-- 
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg), GF: Felix Imendörffer

next prev parent reply	other threads:[~2020-01-09 14:12 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-22  5:29 [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor huangwenabc
2019-11-24  7:52 ` kbuild test robot
2019-11-24  7:52   ` kbuild test robot
2019-11-25 12:36   ` Kalle Valo
2019-11-25 14:29     ` [kbuild-all] " Philip Li
2019-11-25 14:29       ` Philip Li
2019-11-27 18:23       ` [kbuild-all] " Guenter Roeck
2019-11-27 18:23         ` Guenter Roeck
2019-11-28  1:53         ` [kbuild-all] " Rong Chen
2019-11-28  1:53           ` Rong Chen
2020-03-24 15:19           ` [kbuild-all] " Kalle Valo
2020-03-24 15:19             ` Kalle Valo
2019-11-25 12:36   ` Kalle Valo
2019-11-28  8:00 ` Kalle Valo
     [not found] ` <0101016eb106d678-62ccf480-a650-47f2-87b3-cb5a03deb013-000000@us-west-2.amazonses.com>
     [not found]   ` <CADt2dQfbnk5WgDk=oeWjE1tziCEem-3fhhA68Pmr_fo0pZ_V=g@mail.gmail.com>
2019-11-28 11:54     ` Kalle Valo
2020-01-09 14:12 ` Nicolai Stange [this message]
2020-01-14 10:39   ` [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing() Nicolai Stange
2020-01-14 10:39     ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange
2020-01-14 13:43       ` Kalle Valo
2020-01-15  6:21         ` Nicolai Stange
2020-01-26 15:14       ` Kalle Valo
2020-01-27 14:37       ` Kalle Valo
2020-01-14 10:39     ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange
2020-01-14 13:44       ` Kalle Valo
  -- strict thread matches above, loose matches on Subject: below --
2019-11-28 10:51 [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor huangwenabc
2019-12-18 18:52 ` Kalle Valo

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:57edfada066 dfblob:c9401c121a1 )
 OR (
bs:"Re: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87woa04t2v.fsf@suse.de \
    --to=nstange@suse.de \
    --cc=huangwenabc@gmail.com \
    --cc=kvalo@codeaurora.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=mbenes@suse.cz \
    --cc=tiwai@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.