[V2,3/3] brcmfmac: Add check for short event packets

Message ID	20170909193020.19061-3-cernekee@chromium.org (mailing list archive)
State	Changes Requested
Delegated to:	Kalle Valo
Headers	show Return-Path: <linux-wireless-owner@kernel.org> From: Kevin Cernekee <cernekee@chromium.org> To: arend.vanspriel@broadcom.com, franky.lin@broadcom.com Cc: brcm80211-dev-list.pdl@broadcom.com, linux-wireless@vger.kernel.org, mnissler@chromium.org Subject: [PATCH V2 3/3] brcmfmac: Add check for short event packets Date: Sat, 9 Sep 2017 12:30:20 -0700 Message-Id: <20170909193020.19061-3-cernekee@chromium.org> In-Reply-To: <20170909193020.19061-1-cernekee@chromium.org> References: <20170909193020.19061-1-cernekee@chromium.org> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk

Message ID

20170909193020.19061-3-cernekee@chromium.org (mailing list archive)

State

Changes Requested

Delegated to:

Kalle Valo

Headers

From: Kevin Cernekee <cernekee@chromium.org>
To: arend.vanspriel@broadcom.com, franky.lin@broadcom.com
Cc: brcm80211-dev-list.pdl@broadcom.com,
	linux-wireless@vger.kernel.org, mnissler@chromium.org
Subject: [PATCH V2 3/3] brcmfmac: Add check for short event packets
Date: Sat,  9 Sep 2017 12:30:20 -0700
Message-Id: <20170909193020.19061-3-cernekee@chromium.org>
In-Reply-To: <20170909193020.19061-1-cernekee@chromium.org>
References: <20170909193020.19061-1-cernekee@chromium.org>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk

Commit Message

Kevin Cernekee Sept. 9, 2017, 7:30 p.m. UTC

The length of the data in the received skb is currently passed into
brcmf_fweh_process_event() as packet_len, but this value is not checked.
event_packet should be followed by DATALEN bytes of additional event
data.  Ensure that the received packet actually contains at least
DATALEN bytes of additional data, to avoid copying uninitialized memory
into event->data.

Suggested-by: Mattias Nissler <mnissler@chromium.org>
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


V1->V2: No change.

Comments

Kalle Valo Sept. 12, 2017, 7:45 a.m. UTC | #1

Kevin Cernekee <cernekee@chromium.org> wrote:

> The length of the data in the received skb is currently passed into
> brcmf_fweh_process_event() as packet_len, but this value is not checked.
> event_packet should be followed by DATALEN bytes of additional event
> data.  Ensure that the received packet actually contains at least
> DATALEN bytes of additional data, to avoid copying uninitialized memory
> into event->data.
> 
> Suggested-by: Mattias Nissler <mnissler@chromium.org>
> Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
> Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>

I'll queue this for v4.14 and add:

Cc: stable@vger.kernel.org # v3.8+

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
index 27e661fa356f..28361bb865f3 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
@@ -424,7 +424,8 @@  void brcmf_fweh_process_event(struct brcmf_pub *drvr,
 	if (code != BRCMF_E_IF && !fweh->evt_handler[code])
 		return;
 
-	if (datalen > BRCMF_DCMD_MAXLEN)
+	if (datalen > BRCMF_DCMD_MAXLEN ||
+	    datalen + sizeof(*event_packet) < packet_len)
 		return;
 
 	if (in_interrupt())

[V2,3/3] brcmfmac: Add check for short event packets

Commit Message

Comments

Patch