From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-cys01nam02on0108.outbound.protection.outlook.com ([104.47.37.108]:42432 "EHLO NAM02-CY1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731031AbeIQIby (ORCPT ); Mon, 17 Sep 2018 04:31:54 -0400 From: Sasha Levin To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Dan Carpenter , Kalle Valo , Sasha Levin Subject: [PATCH AUTOSEL 4.9 43/57] rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() Date: Mon, 17 Sep 2018 03:04:09 +0000 Message-ID: <20180917030340.378-43-alexander.levin@microsoft.com> References: <20180917030340.378-1-alexander.levin@microsoft.com> In-Reply-To: <20180917030340.378-1-alexander.levin@microsoft.com> Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org List-ID: From: Dan Carpenter [ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ] This is a static checker fix, not something I have tested. The issue is that on the second iteration through the loop, we jump forward by le32_to_cpu(auth_req->length) bytes. The problem is that if the length is more than "buflen" then we end up with a negative "buflen". A negative buflen is type promoted to a high positive value and the loop continues but it's accessing beyond the end of the buffer. I believe the "auth_req->length" comes from the firmware and if the firmware is malicious or buggy, you're already toasted so the impact of this bug is probably not very severe. Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device") Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin --- drivers/net/wireless/rndis_wlan.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis= _wlan.c index 15b2350d9f45..c9f8847dc123 100644 --- a/drivers/net/wireless/rndis_wlan.c +++ b/drivers/net/wireless/rndis_wlan.c @@ -2921,6 +2921,8 @@ static void rndis_wlan_auth_indication(struct usbnet = *usbdev, =20 while (buflen >=3D sizeof(*auth_req)) { auth_req =3D (void *)buf; + if (buflen < le32_to_cpu(auth_req->length)) + return; type =3D "unknown"; flags =3D le32_to_cpu(auth_req->flags); pairwise_error =3D false; --=20 2.17.1