From patchwork Tue Jun 5 11:31:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 10448061 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id CB94C60467 for ; Tue, 5 Jun 2018 11:32:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B7F26290F6 for ; Tue, 5 Jun 2018 11:32:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id ACBD5290FC; Tue, 5 Jun 2018 11:32:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C35F290F6 for ; Tue, 5 Jun 2018 11:32:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751750AbeFELcD (ORCPT ); Tue, 5 Jun 2018 07:32:03 -0400 Received: from userp2130.oracle.com ([156.151.31.86]:51090 "EHLO userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751622AbeFELcB (ORCPT ); Tue, 5 Jun 2018 07:32:01 -0400 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w55BVPdc183287; Tue, 5 Jun 2018 11:31:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type; s=corp-2017-10-26; bh=zrIETLJJ3zgJ9cS0ZNZ4rFArGCJvu5k9O6xC+Knqv/Q=; b=nNpDEF5IyYFhlpaVX2cXymKQz5jCrdxe2i9mMzLky/NiqVJDUz9GiFJVBSZs54EarPxt 8mThDqJuD50S2X3bwKcm7A4l+ap6ckaOhj30/24jmHJVDpLW7fpNtdSjOcZmcs7gZ1Ny /+2pDfW8olJAODYGUxgtDVmHLASg/JASJ7gY7ysd8lB+t85aDSihHzRUceEkgAQT4lLf ziSLj7ZfpVgwqggn33Hwk0dmM9z9ZcObXPsxPv3TjtkxbLrSsMn611IQ1niT68YRWloy 5QIKnOftCowUM4Kp6QVPhrN+a8NYq5XThTumhpI3zPJQgomJUhogczr6DqM/ipIi1RYg +w== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp2130.oracle.com with ESMTP id 2jbvyp7sub-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 05 Jun 2018 11:31:47 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w55BVlEg031221 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 Jun 2018 11:31:47 GMT Received: from abhmp0008.oracle.com (abhmp0008.oracle.com [141.146.116.14]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w55BVk2W014884; Tue, 5 Jun 2018 11:31:47 GMT Received: from kili.mountain (/41.202.241.46) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 05 Jun 2018 04:31:46 -0700 Date: Tue, 5 Jun 2018 14:31:39 +0300 From: Dan Carpenter To: Jussi Kivilinna Cc: Kalle Valo , linux-wireless@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() Message-ID: <20180605113139.m65jc2hlisa62deu@kili.mountain> MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding User-Agent: NeoMutt/20170113 (1.7.2) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8914 signatures=668702 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806050135 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This is a static checker fix, not something I have tested. The issue is that on the second iteration through the loop, we jump forward by le32_to_cpu(auth_req->length) bytes. The problem is that if the length is more than "buflen" then we end up with a negative "buflen". A negative buflen is type promoted to a high positive value and the loop continues but it's accessing beyond the end of the buffer. I believe the "auth_req->length" comes from the firmware and if the firmware is malicious or buggy, you're already toasted so the impact of this bug is probably not very severe. Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device") Signed-off-by: Dan Carpenter diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c index 9935bd09db1f..d4947e3a909e 100644 --- a/drivers/net/wireless/rndis_wlan.c +++ b/drivers/net/wireless/rndis_wlan.c @@ -2928,6 +2928,8 @@ static void rndis_wlan_auth_indication(struct usbnet *usbdev, while (buflen >= sizeof(*auth_req)) { auth_req = (void *)buf; + if (buflen < le32_to_cpu(auth_req->length)) + return; type = "unknown"; flags = le32_to_cpu(auth_req->flags); pairwise_error = false;