From patchwork Wed Nov  9 02:28:24 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Brian Norris <briannorris@chromium.org>
X-Patchwork-Id: 9418369
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	D596E6022E for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed,  9 Nov 2016 02:31:34 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C95082913E
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed,  9 Nov 2016 02:31:34 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BDA7329141; Wed,  9 Nov 2016 02:31:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0A9112913E
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed,  9 Nov 2016 02:31:34 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751638AbcKICbS (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Tue, 8 Nov 2016 21:31:18 -0500
Received: from mail-pf0-f169.google.com ([209.85.192.169]:33870 "EHLO
	mail-pf0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751317AbcKICbR (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Tue, 8 Nov 2016 21:31:17 -0500
Received: by mail-pf0-f169.google.com with SMTP id n85so117915232pfi.1
	for <linux-wireless@vger.kernel.org>;
	Tue, 08 Nov 2016 18:31:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id;
	bh=Z8Td6JFWw3J/gdibFFIo+HL6GLvLKJ4T2Al39iQkTfc=;
	b=aHjnq7yQU5WU+GQLxOAI4dpOOH3hqblIlHwOPSRAMVYCVVd7z51rUr///gNfUtG8oZ
	El1p+Yi8RwW36cA/AEFkxarJ+Jp4ocpZc849VHlxVHyXgXrarVekJAsUVJzs6Q0N9snn
	f/BuGhLn/ch3+eKIjgHEi2mJkkhuISwLFIX4c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=Z8Td6JFWw3J/gdibFFIo+HL6GLvLKJ4T2Al39iQkTfc=;
	b=YgeLcqiQ3paT8VmOyD89S2z666/SbDz6xQt5kSE0hIcjpGN6qdEmYmyTeN4JednxEp
	PllOAiAr7Sy1BiYF6xoAZPLkic9nt5iPZNaSdRzCoAlSVsuD5uNcHDT4lKTP9d0Fpk4L
	cch9TSbzAloiPgq/s3c7/n88wflP7KYaaQFZU4WR9zzgWw9oFg7v/fsN22fs865mNXCR
	iu5MKiqWq66Vkxlsa7kTej8a9lmFF+IkLbjPrI2FbPtAE6qbia0EYYeEhH91uu0zgpfC
	v95wNKBvf/5qlprCyYZO+J7c9NdxBXuO6ANi0US/7pKMFOKrU3/zRKoy4iuW+Jm+7IA1
	5hXA==
X-Gm-Message-State: 
 ABUngvfX9qvx0y0Z+MpLGtY4zItLUMElkYvXQM+qwvhX8keplOTWog8T1tZunvqwdPo2BD8h
X-Received: by 10.98.25.205 with SMTP id 196mr29089561pfz.46.1478658676488;
	Tue, 08 Nov 2016 18:31:16 -0800 (PST)
Received: from ban.mtv.corp.google.com ([172.22.64.120])
	by smtp.gmail.com with ESMTPSA id
	131sm50937542pfx.92.2016.11.08.18.31.15
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 08 Nov 2016 18:31:16 -0800 (PST)
From: Brian Norris <briannorris@chromium.org>
To: Amitkumar Karwar <akarwar@marvell.com>,
	Nishant Sarmukadam <nishants@marvell.com>,
	Kalle Valo <kvalo@codeaurora.org>
Cc: <linux-kernel@vger.kernel.org>, linux-wireless@vger.kernel.org,
	Cathy Luo <cluo@marvell.com>, security@kernel.org,
	stable@vger.kernel.org, Brian Norris <briannorris@chromium.org>
Subject: [PATCH] mwifiex: printk() overflow with 32-byte SSIDs
Date: Tue,  8 Nov 2016 18:28:24 -0800
Message-Id: <1478658504-31045-1-git-send-email-briannorris@chromium.org>
X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

SSIDs aren't guaranteed to be 0-terminated. Let's cap the max length
when we print them out.

This can be easily noticed by connecting to a network with a 32-octet
SSID:

[ 3903.502925] mwifiex_pcie 0000:01:00.0: info: trying to associate to
'0123456789abcdef0123456789abcdef <uninitialized mem>' bssid
xx:xx:xx:xx:xx:xx

Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
Signed-off-by: Brian Norris <briannorris@chromium.org>
Cc: <stable@vger.kernel.org>
Acked-by: Amitkumar Karwar <akarwar@marvell.com>
---
 drivers/net/wireless/marvell/mwifiex/cfg80211.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
index 39ce76ad00bc..16241d21727b 100644
--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
@@ -2222,8 +2222,9 @@ mwifiex_cfg80211_assoc(struct mwifiex_private *priv, size_t ssid_len,
 			is_scanning_required = 1;
 		} else {
 			mwifiex_dbg(priv->adapter, MSG,
-				    "info: trying to associate to '%s' bssid %pM\n",
-				    (char *)req_ssid.ssid, bss->bssid);
+				    "info: trying to associate to '%.*s' bssid %pM\n",
+				    req_ssid.ssid_len, (char *)req_ssid.ssid,
+				    bss->bssid);
 			memcpy(&priv->cfg_bssid, bss->bssid, ETH_ALEN);
 			break;
 		}
@@ -2283,8 +2284,8 @@ mwifiex_cfg80211_connect(struct wiphy *wiphy, struct net_device *dev,
 	}
 
 	mwifiex_dbg(adapter, INFO,
-		    "info: Trying to associate to %s and bssid %pM\n",
-		    (char *)sme->ssid, sme->bssid);
+		    "info: Trying to associate to %.*s and bssid %pM\n",
+		    (int)sme->ssid_len, (char *)sme->ssid, sme->bssid);
 
 	if (!mwifiex_stop_bg_scan(priv))
 		cfg80211_sched_scan_stopped_rtnl(priv->wdev.wiphy);
@@ -2417,8 +2418,8 @@ mwifiex_cfg80211_join_ibss(struct wiphy *wiphy, struct net_device *dev,
 	}
 
 	mwifiex_dbg(priv->adapter, MSG,
-		    "info: trying to join to %s and bssid %pM\n",
-		    (char *)params->ssid, params->bssid);
+		    "info: trying to join to %.*s and bssid %pM\n",
+		    params->ssid_len, (char *)params->ssid, params->bssid);
 
 	mwifiex_set_ibss_params(priv, params);