From: Arend van Spriel <arend.vanspriel@broadcom.com>
To: Mattias Nissler <mnissler@chromium.org>,
Kevin Cernekee <cernekee@chromium.org>
Cc: franky.lin@broadcom.com, brcm80211-dev-list.pdl@broadcom.com,
linux-wireless@vger.kernel.org
Subject: Re: [PATCH 3/3] brcmfmac: Add check for short event packets
Date: Mon, 11 Sep 2017 21:09:32 +0200 [thread overview]
Message-ID: <0960e44e-baa7-ac36-4906-cb2d0a39ac3e@broadcom.com> (raw)
In-Reply-To: <CAKUbbx+=VpRC0nek=431yxjooun56hb6svSwRjH_faBhdEPf=g@mail.gmail.com>
On 11-09-17 11:19, Mattias Nissler wrote:
> On Fri, Sep 8, 2017 at 9:13 PM, Kevin Cernekee <cernekee@chromium.org> wrote:
>>
>> The length of the data in the received skb is currently passed into
>> brcmf_fweh_process_event() as packet_len, but this value is not checked.
>> event_packet should be followed by DATALEN bytes of additional event
>> data. Ensure that the received packet actually contains at least
>> DATALEN bytes of additional data, to avoid copying uninitialized memory
>> into event->data.
>>
>> Suggested-by: Mattias Nissler <mnissler@chromium.org>
>> Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
>> ---
>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
>> index 5aabdc9ed7e0..4cad1f0d2a82 100644
>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
>> @@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
>> if (code != BRCMF_E_IF && !fweh->evt_handler[code])
>> return;
>>
>> - if (datalen > BRCMF_DCMD_MAXLEN)
>> + if (datalen > BRCMF_DCMD_MAXLEN ||
>> + datalen + sizeof(*event_packet) < packet_len)
>
> Shouldn't this check be larger-than, i.e. we need the packet to be at
> least sizeof(*event_packet) + its payload size?
That depends on how you formulate the requirement. packet_len here is
the length for the received skbuff. The event message (=
sizeof(*event_packet)) and its variable payload (= datalen) shall not
exceed length of received skbuff (= packet_len).
Regards,
Arend
next prev parent reply other threads:[~2017-09-11 19:09 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-08 19:13 [PATCH 0/3] New brcmfmac bounds checks Kevin Cernekee
2017-09-08 19:13 ` [PATCH 1/3] brcmfmac: Avoid possible out-of-bounds read Kevin Cernekee
2017-09-09 7:45 ` Arend van Spriel
2017-09-08 19:13 ` [PATCH 2/3] brcmfmac: Don't print out-of-bounds event data Kevin Cernekee
2017-09-09 8:12 ` Arend van Spriel
2017-09-08 19:13 ` [PATCH 3/3] brcmfmac: Add check for short event packets Kevin Cernekee
2017-09-09 8:14 ` Arend van Spriel
2017-09-11 9:19 ` Mattias Nissler
2017-09-11 19:09 ` Arend van Spriel [this message]
2017-09-12 15:04 ` Kevin Cernekee
2017-09-12 19:16 ` Arend van Spriel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0960e44e-baa7-ac36-4906-cb2d0a39ac3e@broadcom.com \
--to=arend.vanspriel@broadcom.com \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=cernekee@chromium.org \
--cc=franky.lin@broadcom.com \
--cc=linux-wireless@vger.kernel.org \
--cc=mnissler@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox