From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Lee Gibson <leegib@gmail.com>, Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.13 109/189] wl1251: Fix possible buffer overflow in wl1251_cmd_scan
Date: Tue, 6 Jul 2021 07:12:49 -0400 [thread overview]
Message-ID: <20210706111409.2058071-109-sashal@kernel.org> (raw)
In-Reply-To: <20210706111409.2058071-1-sashal@kernel.org>
From: Lee Gibson <leegib@gmail.com>
[ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ]
Function wl1251_cmd_scan calls memcpy without checking the length.
Harden by checking the length is within the maximum allowed size.
Signed-off-by: Lee Gibson <leegib@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ti/wl1251/cmd.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c
index 498c8db2eb48..d7a869106782 100644
--- a/drivers/net/wireless/ti/wl1251/cmd.c
+++ b/drivers/net/wireless/ti/wl1251/cmd.c
@@ -454,9 +454,12 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len,
cmd->channels[i].channel = channels[i]->hw_value;
}
- cmd->params.ssid_len = ssid_len;
- if (ssid)
- memcpy(cmd->params.ssid, ssid, ssid_len);
+ if (ssid) {
+ int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN);
+
+ cmd->params.ssid_len = len;
+ memcpy(cmd->params.ssid, ssid, len);
+ }
ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd));
if (ret < 0) {
--
2.30.2
next prev parent reply other threads:[~2021-07-06 11:17 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20210706111409.2058071-1-sashal@kernel.org>
2021-07-06 11:12 ` [PATCH AUTOSEL 5.13 107/189] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP Sasha Levin
2021-07-06 11:12 ` Sasha Levin [this message]
2021-07-06 11:12 ` [PATCH AUTOSEL 5.13 110/189] cw1200: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 122/189] mt76: mt7615: fix fixed-rate tx status reporting Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 123/189] mt76: dma: use ieee80211_tx_status_ext to free packets when tx fails Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 130/189] mt76: mt7915: fix tssi indication field of DBDC NICs Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 131/189] mt76: mt7921: fix reset under the deep sleep is enabled Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 132/189] mt76: mt7921: reset wfsys during hw probe Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 133/189] mt76: mt7921: enable hw offloading for wep keys Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 134/189] mt76: connac: fix UC entry is being overwritten Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 135/189] mt76: connac: fix the maximum interval schedule scan can support Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 136/189] mt76: mt7915: fix IEEE80211_HE_PHY_CAP7_MAX_NC for station mode Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 137/189] mt76: fix iv and CCMP header insertion Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 138/189] rtl8xxxu: Fix device info for RTL8192EU devices Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 149/189] iwlwifi: mvm: don't change band on bound PHY contexts Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 150/189] iwlwifi: mvm: apply RX diversity per PHY context Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 151/189] iwlwifi: mvm: fix error print when session protection ends Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 152/189] iwlwifi: mvm: support LONG_GROUP for WOWLAN_GET_STATUSES version Sasha Levin
2021-07-06 14:09 ` Johannes Berg
2021-07-07 10:46 ` Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 153/189] iwlwifi: pcie: free IML DMA memory allocation Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 154/189] iwlwifi: pcie: fix context info freeing Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 155/189] rtw88: 8822c: update RF parameter tables to v62 Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 156/189] rtw88: add quirks to disable pci capabilities Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 160/189] wireless: wext-spy: Fix out-of-bounds warning Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 161/189] cfg80211: fix default HE tx bitrate mask in 2G band Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 162/189] mac80211: consider per-CPU statistics if present Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 163/189] mac80211_hwsim: add concurrent channels scanning support over virtio Sasha Levin
2021-07-06 11:13 ` [PATCH AUTOSEL 5.13 164/189] mac80211: Properly WARN on HW scan before restart Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210706111409.2058071-109-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=kvalo@codeaurora.org \
--cc=leegib@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).