From: Dan Carpenter <dan.carpenter@oracle.com>
To: qize wang <wangqize888888888@gmail.com>
Cc: linux-wireless@vger.kernel.org, amitkarwar <amitkarwar@gmail.com>,
nishants <nishants@marvell.com>, gbhat <gbhat@marvell.com>,
huxinming820 <huxinming820@gmail.com>,
kvalo <kvalo@codeaurora.org>, Greg KH <greg@kroah.com>,
security <security@kernel.org>,
linux-distros <linux-distros@vs.openwall.org>,
Solar Designer <solar@openwall.com>
Subject: Re: [PATCH] mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()
Date: Fri, 22 Nov 2019 14:13:39 +0300 [thread overview]
Message-ID: <20191122111339.GH617@kadam> (raw)
In-Reply-To: <E40E893E-D9B4-4C63-8139-1DD5E1C2CECB@gmail.com>
On Fri, Nov 22, 2019 at 05:43:49PM +0800, qize wang wrote:
> case WLAN_EID_HT_CAPABILITY:
> - memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,
^^^^
> + if (pos > end - sizeof(struct ieee80211_ht_cap) - 2)
> + return;
> + if (pos[1] != sizeof(struct ieee80211_ht_cap))
> + return;
> + /* copy the ie's value into ht_capb*/
> + memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2,
^^^^^^^
I don't understand why we changed "pos" to "pos + 2". Presumably there
is a reason, but it needs to explained in the commit message.
> sizeof(struct ieee80211_ht_cap));
> sta_ptr->is_11n_enabled = 1;
> break;
> case WLAN_EID_HT_OPERATION:
> - memcpy(&sta_ptr->tdls_cap.ht_oper, pos,
^^^
> + if (pos > end -
> + sizeof(struct ieee80211_ht_operation) - 2)
> + return;
> + if (pos[1] != sizeof(struct ieee80211_ht_operation))
> + return;
> + /* copy the ie's value into ht_oper*/
> + memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2,
^^^^^^^
> sizeof(struct ieee80211_ht_operation));
> break;
> case WLAN_EID_BSS_COEX_2040:
> + if (pos > end - 3)
> + return;
> + if (pos[1] != 1)
> + return;
> sta_ptr->tdls_cap.coex_2040 = pos[2];
> break;
> case WLAN_EID_EXT_CAPABILITY:
> + if (pos > end - sizeof(struct ieee_types_header))
> + return;
> + if (pos[1] < sizeof(struct ieee_types_header))
> + return;
> + if (pos[1] > 8)
> + return;
> memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
> sizeof(struct ieee_types_header) +
> min_t(u8, pos[1], 8));
> break;
> case WLAN_EID_RSN:
> + if (pos > end - sizeof(struct ieee_types_header))
> + return;
> + if (pos[1] < sizeof(struct ieee_types_header))
> + return;
> + if (pos[1] > IEEE_MAX_IE_SIZE -
> + sizeof(struct ieee_types_header))
> + return;
> memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
> sizeof(struct ieee_types_header) +
> min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
> sizeof(struct ieee_types_header)));
> break;
> case WLAN_EID_QOS_CAPA:
> + if (pos > end - 3)
> + return;
> + if (pos[1] != 1)
> + return;
> sta_ptr->tdls_cap.qos_info = pos[2];
> break;
> case WLAN_EID_VHT_OPERATION:
> - if (priv->adapter->is_hw_11ac_capable)
> - memcpy(&sta_ptr->tdls_cap.vhtoper, pos,
^^^
> + if (priv->adapter->is_hw_11ac_capable) {
> + if (pos > end -
> + sizeof(struct ieee80211_vht_operation) - 2)
> + return;
> + if (pos[1] !=
> + sizeof(struct ieee80211_vht_operation))
> + return;
> + /* copy the ie's value into vhtoper*/
> + memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2,
^^^^^^^
> sizeof(struct ieee80211_vht_operation));
> + }
> break;
> case WLAN_EID_VHT_CAPABILITY:
> if (priv->adapter->is_hw_11ac_capable) {
> - memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos,
^^^
> + if (pos > end -
> + sizeof(struct ieee80211_vht_cap) - 2)
> + return;
> + if (pos[1] != sizeof(struct ieee80211_vht_cap))
> + return;
> + /* copy the ie's value into vhtcap*/
> + memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2,
^^^^^^^
> sizeof(struct ieee80211_vht_cap));
> sta_ptr->is_11ac_enabled = 1;
> }
> break;
I was confused by the "- 2" as well in the earlier versions of this
patch but Marvell approved it so I assumed it was correct. It would be
nice if this patch were tested.
regards,
dan carpenter
next prev parent reply other threads:[~2019-11-22 11:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-22 9:43 [PATCH] mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() qize wang
2019-11-22 11:13 ` Dan Carpenter [this message]
2019-11-22 11:40 ` [EXT] " Ganapathi Bhat
2019-11-22 12:37 ` Dan Carpenter
2019-11-22 14:27 ` qize wang
2019-11-25 16:04 ` [EXT] " qize wang
2019-11-28 8:05 ` Kalle Valo
[not found] ` <CAGftXBH+s3HaWzoX8hsBdukv0NJsXZc7XZCT=mH5ejeiV9gFrQ@mail.gmail.com>
2019-11-29 5:21 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191122111339.GH617@kadam \
--to=dan.carpenter@oracle.com \
--cc=amitkarwar@gmail.com \
--cc=gbhat@marvell.com \
--cc=greg@kroah.com \
--cc=huxinming820@gmail.com \
--cc=kvalo@codeaurora.org \
--cc=linux-distros@vs.openwall.org \
--cc=linux-wireless@vger.kernel.org \
--cc=nishants@marvell.com \
--cc=security@kernel.org \
--cc=solar@openwall.com \
--cc=wangqize888888888@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox