* [PATCH] rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
@ 2018-06-05 11:31 Dan Carpenter
2018-06-27 16:07 ` Kalle Valo
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2018-06-05 11:31 UTC (permalink / raw)
To: Jussi Kivilinna; +Cc: Kalle Valo, linux-wireless, kernel-janitors
This is a static checker fix, not something I have tested. The issue
is that on the second iteration through the loop, we jump forward by
le32_to_cpu(auth_req->length) bytes. The problem is that if the length
is more than "buflen" then we end up with a negative "buflen". A
negative buflen is type promoted to a high positive value and the loop
continues but it's accessing beyond the end of the buffer.
I believe the "auth_req->length" comes from the firmware and if the
firmware is malicious or buggy, you're already toasted so the impact of
this bug is probably not very severe.
Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index 9935bd09db1f..d4947e3a909e 100644
--- a/drivers/net/wireless/rndis_wlan.c
+++ b/drivers/net/wireless/rndis_wlan.c
@@ -2928,6 +2928,8 @@ static void rndis_wlan_auth_indication(struct usbnet *usbdev,
while (buflen >= sizeof(*auth_req)) {
auth_req = (void *)buf;
+ if (buflen < le32_to_cpu(auth_req->length))
+ return;
type = "unknown";
flags = le32_to_cpu(auth_req->flags);
pairwise_error = false;
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
2018-06-05 11:31 [PATCH] rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() Dan Carpenter
@ 2018-06-27 16:07 ` Kalle Valo
0 siblings, 0 replies; 2+ messages in thread
From: Kalle Valo @ 2018-06-27 16:07 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Jussi Kivilinna, linux-wireless, kernel-janitors
Dan Carpenter <dan.carpenter@oracle.com> wrote:
> This is a static checker fix, not something I have tested. The issue
> is that on the second iteration through the loop, we jump forward by
> le32_to_cpu(auth_req->length) bytes. The problem is that if the length
> is more than "buflen" then we end up with a negative "buflen". A
> negative buflen is type promoted to a high positive value and the loop
> continues but it's accessing beyond the end of the buffer.
>
> I believe the "auth_req->length" comes from the firmware and if the
> firmware is malicious or buggy, you're already toasted so the impact of
> this bug is probably not very severe.
>
> Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
> index 9935bd09db1f..d4947e3a909e 100644
> --- a/drivers/net/wireless/rndis_wlan.c
> +++ b/drivers/net/wireless/rndis_wlan.c
> @@ -2928,6 +2928,8 @@ static void rndis_wlan_auth_indication(struct usbnet *usbdev,
>
> while (buflen >= sizeof(*auth_req)) {
> auth_req = (void *)buf;
> + if (buflen < le32_to_cpu(auth_req->length))
> + return;
> type = "unknown";
> flags = le32_to_cpu(auth_req->flags);
> pairwise_error = false;
Patch applied to wireless-drivers-next.git, thanks.
ae636fb15548 rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
--
https://patchwork.kernel.org/patch/10448061/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-06-27 16:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-05 11:31 [PATCH] rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() Dan Carpenter
2018-06-27 16:07 ` Kalle Valo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).