From patchwork Thu Oct 17 09:18:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 11195201 X-Patchwork-Delegate: johannes@sipsolutions.net Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6FBB6112B for ; Thu, 17 Oct 2019 09:19:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4C6EF214E0 for ; Thu, 17 Oct 2019 09:19:40 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="BTMIIGNB" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2393097AbfJQJTj (ORCPT ); Thu, 17 Oct 2019 05:19:39 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:44002 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728987AbfJQJTj (ORCPT ); Thu, 17 Oct 2019 05:19:39 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x9H9JPHW067550; Thu, 17 Oct 2019 09:19:33 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type; s=corp-2019-08-05; bh=HqGJrXdDr+L2vzzi8nOpmT45hooIBj7pFx6NpAJ8pDE=; b=BTMIIGNB03tk7WGXihAsFPeRnJ76O2/dqzqyHVYfNWH1N+cG9z6Mln3g/mUaehMXg0qZ /Zk2e2k04mP6i5aAIbgAwyju+bLOPy/VBusfKsHP3Fz2w4gCKTEUmwNFMDHNYaVco5NJ wASfbLRYvMZxn7wpnbb1aIk0lB3Ox8jfGN+kSPo2KhzcrnMEbUjC84oMvc185wH1JGvL Djohj9Zv0k8ZBevP64KNhFqJNPvpfWGWnanVWnq9gvhhEy1GF2PhpSeZ0CBJn6wf6MzD BdF6uojNyMKFqBvzoTQXbjrynQ2bW6vtgzhzEf/OOFQP/fzD/tO9auO1tTYnr9OixFS9 IA== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by aserp2120.oracle.com with ESMTP id 2vk6sqw2ft-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2019 09:19:33 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x9H9JVcZ106375; Thu, 17 Oct 2019 09:19:32 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userp3030.oracle.com with ESMTP id 2vp3bk9y52-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2019 09:19:32 +0000 Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x9H9IdLa028892; Thu, 17 Oct 2019 09:18:40 GMT Received: from mwanda (/41.57.98.10) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 17 Oct 2019 09:18:39 +0000 Date: Thu, 17 Oct 2019 12:18:32 +0300 From: Dan Carpenter To: Adham Abozaeid Cc: Ajay Singh , Greg Kroah-Hartman , linux-wireless@vger.kernel.org, devel@driverdev.osuosl.org, kernel-janitors@vger.kernel.org Subject: [PATCH] staging: wilc1000: potential corruption in wilc_parse_join_bss_param() Message-ID: <20191017091832.GB31278@mwanda> MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding User-Agent: Mutt/1.10.1 (2018-07-13) X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9412 signatures=668684 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910170084 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9412 signatures=668684 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910170084 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org The "rates_len" value needs to be capped so that the memcpy() doesn't copy beyond the end of the array. Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver") Signed-off-by: Dan Carpenter Reviewed-by: Adham Abozaeid --- drivers/staging/wilc1000/wilc_hif.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/wilc1000/wilc_hif.c b/drivers/staging/wilc1000/wilc_hif.c index 0ac2b6ac50b0..e0a95c5cc0d5 100644 --- a/drivers/staging/wilc1000/wilc_hif.c +++ b/drivers/staging/wilc1000/wilc_hif.c @@ -479,6 +479,8 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, rates_ie = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies->data, ies->len); if (rates_ie) { rates_len = rates_ie[1]; + if (rates_len > WILC_MAX_RATES_SUPPORTED) + rates_len = WILC_MAX_RATES_SUPPORTED; param->supp_rates[0] = rates_len; memcpy(¶m->supp_rates[1], rates_ie + 2, rates_len); }