[PATCH AUTOSEL 3.18 21/29] rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
	Kalle Valo <kvalo@codeaurora.org>,
	Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL 3.18 21/29] rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
Date: Mon, 17 Sep 2018 03:05:50 +0000	[thread overview]
Message-ID: <20180917030533.592-21-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180917030533.592-1-alexander.levin@microsoft.com>

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ]

This is a static checker fix, not something I have tested.  The issue
is that on the second iteration through the loop, we jump forward by
le32_to_cpu(auth_req->length) bytes.  The problem is that if the length
is more than "buflen" then we end up with a negative "buflen".  A
negative buflen is type promoted to a high positive value and the loop
continues but it's accessing beyond the end of the buffer.

I believe the "auth_req->length" comes from the firmware and if the
firmware is malicious or buggy, you're already toasted so the impact of
this bug is probably not very severe.

Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 drivers/net/wireless/rndis_wlan.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index 46dda22cec15..ebe762bf01dd 100644
--- a/drivers/net/wireless/rndis_wlan.c
+++ b/drivers/net/wireless/rndis_wlan.c
@@ -2919,6 +2919,8 @@ static void rndis_wlan_auth_indication(struct usbnet *usbdev,
 
 	while (buflen >= sizeof(*auth_req)) {
 		auth_req = (void *)buf;
+		if (buflen < le32_to_cpu(auth_req->length))
+			return;
 		type = "unknown";
 		flags = le32_to_cpu(auth_req->flags);
 		pairwise_error = false;
-- 
2.17.1

next prev parent reply	other threads:[~2018-09-17  8:33 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-17  3:05 [PATCH AUTOSEL 3.18 01/29] crypto: skcipher - Fix -Wstringop-truncation warnings Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 02/29] tsl2550: fix lux1_input error in low light Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 03/29] x86/numa_emulation: Fix emulated-to-physical node mapping Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 05/29] USB: serial: kobil_sct: fix modem-status error handling Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 04/29] uwb: hwa-rc: fix memory leak at probe Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 07/29] powerpc/kdump: Handle crashkernel memory reservation failure Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 06/29] media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt() Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 08/29] x86/tsc: Add missing header to tsc_msr.c Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 09/29] scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 10/29] scsi: ibmvscsi: Improve strings handling Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 11/29] usb: wusbcore: security: cast sizeof to int for comparison Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 12/29] alarmtimer: Prevent overflow for relative nanosleep Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 13/29] s390/extmem: fix gcc 8 stringop-overflow warning Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 14/29] ALSA: snd-aoa: add of_node_put() in error path Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 15/29] media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 16/29] media: soc_camera: ov772x: correct setting of banding filter Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 18/29] drivers/tty: add error handling for pcmcia_loop_config Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 17/29] staging: android: ashmem: Fix mmap size validation Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 19/29] media: tm6000: add error handling for dvb_register_adapter Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 20/29] ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge Sasha Levin
2018-09-17  3:05 ` Sasha Levin [this message]
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 23/29] ARM: mvebu: declare asm symbols as character arrays in pmsu.c Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 22/29] wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 25/29] scsi: bnx2i: add error handling for ioremap_nocache Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 24/29] HID: hid-ntrig: add error handling for sysfs_create_group Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 26/29] audit: Fix extended comparison of GID/EGID Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 27/29] ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 28/29] module: exclude SHN_UNDEF symbols from kallsyms api Sasha Levin
2018-09-17  3:05 ` [PATCH AUTOSEL 3.18 29/29] nfsd: fix corrupted reply to badly ordered compound Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:46dda22cec1 dfblob:ebe762bf01d )
 OR (
bs:"[PATCH AUTOSEL 3.18 21/29] rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180917030533.592-21-alexander.levin@microsoft.com \
    --to=alexander.levin@microsoft.com \
    --cc=dan.carpenter@oracle.com \
    --cc=kvalo@codeaurora.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).