From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Nicolai Stange <nstange@suse.de>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 018/100] libertas: make lbs_ibss_join_existing() return error code on rates overflow
Date: Fri, 14 Feb 2020 11:23:02 -0500 [thread overview]
Message-ID: <20200214162425.21071-18-sashal@kernel.org> (raw)
In-Reply-To: <20200214162425.21071-1-sashal@kernel.org>
From: Nicolai Stange <nstange@suse.de>
[ Upstream commit 1754c4f60aaf1e17d886afefee97e94d7f27b4cb ]
Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing() and made it to return on overflow.
However, the aforementioned commit doesn't set the return value accordingly
and thus, lbs_ibss_join_existing() would return with zero even though it
failed.
Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the
number of supplied rates fails.
Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
Signed-off-by: Nicolai Stange <nstange@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/libertas/cfg.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/libertas/cfg.c b/drivers/net/wireless/libertas/cfg.c
index 803684eed142c..7d55de21b1903 100644
--- a/drivers/net/wireless/libertas/cfg.c
+++ b/drivers/net/wireless/libertas/cfg.c
@@ -1854,6 +1854,7 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
if (rates_max > MAX_RATES) {
lbs_deb_join("invalid rates");
rcu_read_unlock();
+ ret = -EINVAL;
goto out;
}
rates = cmd.bss.rates;
--
2.20.1
next prev parent reply other threads:[~2020-02-14 16:35 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200214162425.21071-1-sashal@kernel.org>
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 003/100] brcmfmac: Fix use after free in brcmf_sdio_readframes() Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 004/100] gianfar: Fix TX timestamping with a stacked DSA driver Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 017/100] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Sasha Levin
2020-02-14 16:23 ` Sasha Levin [this message]
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 037/100] NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 041/100] isdn: don't mark kcapi_proc_exit as __exit Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 043/100] b43legacy: Fix -Wcast-function-type Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 044/100] ipw2x00: " Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 045/100] iwlegacy: " Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 046/100] rtlwifi: rtl_pci: " Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 048/100] orinoco: avoid assertion in case of NULL pointer Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 057/100] tools lib api fs: Fix gcc9 stringop-truncation compilation error Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 065/100] wan: ixp4xx_hss: fix compile-testing on 64-bit Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 083/100] hostap: Adjust indentation in prism2_hostapd_add_sta Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 084/100] rtlwifi: rtl8821ae: remove unused variables Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 085/100] rtlwifi: rtl8192ee: " Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 086/100] rtlwifi: rtl8723ae: " Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 087/100] iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 088/100] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 089/100] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200214162425.21071-18-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nstange@suse.de \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).