| Message ID | 20201208150951.35866-1-ruc_zhangxiaohui@163.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | [1/1] mwifiex: Fix possible buffer overflows in mwifiex_config_scan | expand |
On Tue, Dec 8, 2020 at 7:14 AM Xiaohui Zhang <ruc_zhangxiaohui@163.com> wrote: > > From: Zhang Xiaohui <ruc_zhangxiaohui@163.com> > > mwifiex_config_scan() calls memcpy() without checking > the destination size may trigger a buffer overflower, > which a local user could use to cause denial of service > or the execution of arbitrary code. > Fix it by putting the length check before calling memcpy(). ^^ That's not really what you're doing any more, for the record. But then, describing "what" is not really the point of a commit message (that's what the code is for), so maybe that's not that important. > Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com> > --- > drivers/net/wireless/marvell/mwifiex/scan.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c > index c2a685f63..34293fd80 100644 > --- a/drivers/net/wireless/marvell/mwifiex/scan.c > +++ b/drivers/net/wireless/marvell/mwifiex/scan.c > @@ -931,7 +931,7 @@ mwifiex_config_scan(struct mwifiex_private *priv, > wildcard_ssid_tlv->max_ssid_length = 0xfe; > > memcpy(wildcard_ssid_tlv->ssid, > - user_scan_in->ssid_list[i].ssid, ssid_len); > + user_scan_in->ssid_list[i].ssid, min_t(u32, ssid_len, 1)); This *looks* like it should be wrong, because SSIDs are clearly longer than 1 byte in many cases, but you *are* right that this is what the struct is defined as: struct mwifiex_ie_types_wildcard_ssid_params { ... u8 ssid[1]; }; This feels like something that could use some confirmation from NXP/ex-Marvell folks if possible, but if not that, at least some creative testing. Did you actually test this patch, to make sure non-wildcard scans still work? Also, even if this is correct, it seems like it would be more correct to use 'sizeof(wildcard_ssid_tlv->ssid)' instead of a magic number 1. Brian > > tlv_pos += (sizeof(wildcard_ssid_tlv->header) > + le16_to_cpu(wildcard_ssid_tlv->header.len)); > -- > 2.17.1 >
Brian Norris <briannorris@chromium.org> writes: > On Tue, Dec 8, 2020 at 7:14 AM Xiaohui Zhang <ruc_zhangxiaohui@163.com> wrote: >> >> From: Zhang Xiaohui <ruc_zhangxiaohui@163.com> >> >> mwifiex_config_scan() calls memcpy() without checking >> the destination size may trigger a buffer overflower, >> which a local user could use to cause denial of service >> or the execution of arbitrary code. >> Fix it by putting the length check before calling memcpy(). > > ^^ That's not really what you're doing any more, for the record. But > then, describing "what" is not really the point of a commit message > (that's what the code is for), so maybe that's not that important. > >> Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com> >> --- >> drivers/net/wireless/marvell/mwifiex/scan.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c >> index c2a685f63..34293fd80 100644 >> --- a/drivers/net/wireless/marvell/mwifiex/scan.c >> +++ b/drivers/net/wireless/marvell/mwifiex/scan.c >> @@ -931,7 +931,7 @@ mwifiex_config_scan(struct mwifiex_private *priv, >> wildcard_ssid_tlv->max_ssid_length = 0xfe; >> >> memcpy(wildcard_ssid_tlv->ssid, >> - user_scan_in->ssid_list[i].ssid, ssid_len); >> + user_scan_in->ssid_list[i].ssid, min_t(u32, ssid_len, 1)); > > This *looks* like it should be wrong, because SSIDs are clearly longer > than 1 byte in many cases, but you *are* right that this is what the > struct is defined as: > > struct mwifiex_ie_types_wildcard_ssid_params { > ... > u8 ssid[1]; > }; > > This feels like something that could use some confirmation from > NXP/ex-Marvell folks if possible, but if not that, at least some > creative testing. Did you actually test this patch, to make sure > non-wildcard scans still work? > > Also, even if this is correct, it seems like it would be more correct > to use 'sizeof(wildcard_ssid_tlv->ssid)' instead of a magic number 1. Xiaohui, please respond to Brian's comments. If you ignore review comments I have a hard time trusting your patches. Also when you submit a new version you should mark it as v2. See more in the wiki link below.
diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c index c2a685f63..34293fd80 100644 --- a/drivers/net/wireless/marvell/mwifiex/scan.c +++ b/drivers/net/wireless/marvell/mwifiex/scan.c @@ -931,7 +931,7 @@ mwifiex_config_scan(struct mwifiex_private *priv, wildcard_ssid_tlv->max_ssid_length = 0xfe; memcpy(wildcard_ssid_tlv->ssid, - user_scan_in->ssid_list[i].ssid, ssid_len); + user_scan_in->ssid_list[i].ssid, min_t(u32, ssid_len, 1)); tlv_pos += (sizeof(wildcard_ssid_tlv->header) + le16_to_cpu(wildcard_ssid_tlv->header.len));