| Message ID | 1473068749-22487-1-git-send-email-arend.vanspriel@broadcom.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | ded89912156b1a47d940a0c954c43afbabd0c42c |
| Delegated to: | Kalle Valo |
| Headers | show |
On 5-9-2016 11:45, Arend van Spriel wrote: > User-space can choose to omit NL80211_ATTR_SSID and only provide raw > IE TLV data. When doing so it can provide SSID IE with length exceeding > the allowed size. The driver further processes this IE copying it > into a local variable without checking the length. Hence stack can be > corrupted and used as exploit. This patch is intended for wireless-drivers repository, ie. for v4.8. Regards, Arend > Cc: stable@vger.kernel.org # v4.7 > Reported-by: Daxing Guo <freener.gdx@gmail.com> > Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> > Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> > Reviewed-by: Franky Lin <franky.lin@broadcom.com> > Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> > --- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > index 5db56a7..b8aec5e5 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > @@ -4527,7 +4527,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev, > (u8 *)&settings->beacon.head[ie_offset], > settings->beacon.head_len - ie_offset, > WLAN_EID_SSID); > - if (!ssid_ie) > + if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN) > return -EINVAL; > > memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len); >
Arend Van Spriel <arend.vanspriel@broadcom.com> wrote: > User-space can choose to omit NL80211_ATTR_SSID and only provide raw > IE TLV data. When doing so it can provide SSID IE with length exceeding > the allowed size. The driver further processes this IE copying it > into a local variable without checking the length. Hence stack can be > corrupted and used as exploit. > > Cc: stable@vger.kernel.org # v4.7 > Reported-by: Daxing Guo <freener.gdx@gmail.com> > Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> > Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> > Reviewed-by: Franky Lin <franky.lin@broadcom.com> > Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Thanks, 1 patch applied to wireless-drivers.git: ded89912156b brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c index 5db56a7..b8aec5e5 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c @@ -4527,7 +4527,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev, (u8 *)&settings->beacon.head[ie_offset], settings->beacon.head_len - ie_offset, WLAN_EID_SSID); - if (!ssid_ie) + if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN) return -EINVAL; memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);