[PATCH] ath6kl: prevent potential array overflow in ath6kl_add_new

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] ath6kl: prevent potential array overflow in ath6kl_add_new_sta()
@ 2020-08-13 14:13 Dan Carpenter
  2020-08-14  8:49 ` AW: " Walter Harms
  2020-08-17 10:22 ` Kalle Valo
  0 siblings, 2 replies; 5+ messages in thread
From: Dan Carpenter @ 2020-08-13 14:13 UTC (permalink / raw)
  To: Kalle Valo; +Cc: Jakub Kicinski, Jouni Malinen, linux-wireless, kernel-janitors

The value for "aid" comes from skb->data so Smatch marks it as
untrusted.  If it's invalid then it can result in an out of bounds array
access in ath6kl_add_new_sta().

Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/net/wireless/ath/ath6kl/main.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c
index 5e7ea838a921..814131a0680a 100644
--- a/drivers/net/wireless/ath/ath6kl/main.c
+++ b/drivers/net/wireless/ath/ath6kl/main.c
@@ -430,6 +430,9 @@ void ath6kl_connect_ap_mode_sta(struct ath6kl_vif *vif, u16 aid, u8 *mac_addr,
 
 	ath6kl_dbg(ATH6KL_DBG_TRC, "new station %pM aid=%d\n", mac_addr, aid);
 
+	if (aid < 1 || aid > AP_MAX_NUM_STA)
+		return;
+
 	if (assoc_req_len > sizeof(struct ieee80211_hdr_3addr)) {
 		struct ieee80211_mgmt *mgmt =
 			(struct ieee80211_mgmt *) assoc_info;
-- 
2.28.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* AW: [PATCH] ath6kl: prevent potential array overflow in ath6kl_add_new_sta()
  2020-08-13 14:13 [PATCH] ath6kl: prevent potential array overflow in ath6kl_add_new_sta() Dan Carpenter
@ 2020-08-14  8:49 ` Walter Harms
  2020-08-14 10:29   ` Kalle Valo
  2020-08-14 11:17   ` Dan Carpenter
  2020-08-17 10:22 ` Kalle Valo
  1 sibling, 2 replies; 5+ messages in thread
From: Walter Harms @ 2020-08-14  8:49 UTC (permalink / raw)
  To: Dan Carpenter, Kalle Valo
  Cc: Jakub Kicinski, Jouni Malinen, linux-wireless@vger.kernel.org,
	kernel-janitors@vger.kernel.org

nitpicking:

the debugtrace will give the impression that the function is 
running. perhaps it is more clever to have this after the check.

jm2c,
 wh
________________________________________
Von: kernel-janitors-owner@vger.kernel.org [kernel-janitors-owner@vger.kernel.org] im Auftrag von Dan Carpenter [dan.carpenter@oracle.com]
Gesendet: Donnerstag, 13. August 2020 16:13
An: Kalle Valo
Cc: Jakub Kicinski; Jouni Malinen; linux-wireless@vger.kernel.org; kernel-janitors@vger.kernel.org
Betreff: [PATCH] ath6kl: prevent potential array overflow in ath6kl_add_new_sta()

The value for "aid" comes from skb->data so Smatch marks it as
untrusted.  If it's invalid then it can result in an out of bounds array
access in ath6kl_add_new_sta().

Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/net/wireless/ath/ath6kl/main.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c
index 5e7ea838a921..814131a0680a 100644
--- a/drivers/net/wireless/ath/ath6kl/main.c
+++ b/drivers/net/wireless/ath/ath6kl/main.c
@@ -430,6 +430,9 @@ void ath6kl_connect_ap_mode_sta(struct ath6kl_vif *vif, u16 aid, u8 *mac_addr,

        ath6kl_dbg(ATH6KL_DBG_TRC, "new station %pM aid=%d\n", mac_addr, aid);

+       if (aid < 1 || aid > AP_MAX_NUM_STA)
+               return;
+
        if (assoc_req_len > sizeof(struct ieee80211_hdr_3addr)) {
                struct ieee80211_mgmt *mgmt =
                        (struct ieee80211_mgmt *) assoc_info;
--
2.28.0

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: AW: [PATCH] ath6kl: prevent potential array overflow in ath6kl_add_new_sta()
  2020-08-14  8:49 ` AW: " Walter Harms
@ 2020-08-14 10:29   ` Kalle Valo
  2020-08-14 11:17   ` Dan Carpenter
  1 sibling, 0 replies; 5+ messages in thread
From: Kalle Valo @ 2020-08-14 10:29 UTC (permalink / raw)
  To: Walter Harms
  Cc: Dan Carpenter, Jakub Kicinski, Jouni Malinen,
	linux-wireless@vger.kernel.org, kernel-janitors@vger.kernel.org

Walter Harms <wharms@bfs.de> writes:

> the debugtrace will give the impression that the function is 
> running. perhaps it is more clever to have this after the check.

But it's possible to deduce from the debug message that aid is out of
limit, so I prefer the way Dan did it.

Please don't top post. Also your mails are not visible in patchwork and
are easily missed, most likely due to using "AW:" in the subject.

https://patchwork.kernel.org/patch/11712551/

-- 
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] ath6kl: prevent potential array overflow in ath6kl_add_new_sta()
  2020-08-14  8:49 ` AW: " Walter Harms
  2020-08-14 10:29   ` Kalle Valo
@ 2020-08-14 11:17   ` Dan Carpenter
  1 sibling, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2020-08-14 11:17 UTC (permalink / raw)
  To: Walter Harms
  Cc: Kalle Valo, Jakub Kicinski, Jouni Malinen,
	linux-wireless@vger.kernel.org, kernel-janitors@vger.kernel.org

On Fri, Aug 14, 2020 at 08:49:43AM +0000, Walter Harms wrote:
> nitpicking:
> 
> the debugtrace will give the impression that the function is 
> running. perhaps it is more clever to have this after the check.
> 

The debug is more useful they way I did it.  Otherwise it doesn't
print anything.  This is also the normal way to do this sort of
debugging.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] ath6kl: prevent potential array overflow in ath6kl_add_new_sta()
  2020-08-13 14:13 [PATCH] ath6kl: prevent potential array overflow in ath6kl_add_new_sta() Dan Carpenter
  2020-08-14  8:49 ` AW: " Walter Harms
@ 2020-08-17 10:22 ` Kalle Valo
  1 sibling, 0 replies; 5+ messages in thread
From: Kalle Valo @ 2020-08-17 10:22 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Jakub Kicinski, Jouni Malinen, linux-wireless, kernel-janitors

Dan Carpenter <dan.carpenter@oracle.com> wrote:

> The value for "aid" comes from skb->data so Smatch marks it as
> untrusted.  If it's invalid then it can result in an out of bounds array
> access in ath6kl_add_new_sta().
> 
> Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

Patch applied to ath-next branch of ath.git, thanks.

54f9ab7b8709 ath6kl: prevent potential array overflow in ath6kl_add_new_sta()

-- 
https://patchwork.kernel.org/patch/11712551/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-08-17 10:22 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-08-13 14:13 [PATCH] ath6kl: prevent potential array overflow in ath6kl_add_new_sta() Dan Carpenter
2020-08-14  8:49 ` AW: " Walter Harms
2020-08-14 10:29   ` Kalle Valo
2020-08-14 11:17   ` Dan Carpenter
2020-08-17 10:22 ` Kalle Valo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).