| Message ID | 20210317121807.389169-1-leegib@gmail.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | wl1251: Fix possible buffer overflow in wl1251_cmd_scan | expand |
Lee Gibson <leegib@gmail.com> writes: > Function wl1251_cmd_scan calls memcpy without checking the length. > A user could control that length and trigger a buffer overflow. > Fix by checking the length is within the maximum allowed size. > > Signed-off-by: Lee Gibson <leegib@gmail.com> Please fix the commit log, the user cannot control this length as cfg80211 checks it before handling it to wl1251. Unless I'm missing something. > --- > drivers/net/wireless/ti/wl1251/cmd.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c > index 498c8db2eb48..e4d028a53d91 100644 > --- a/drivers/net/wireless/ti/wl1251/cmd.c > +++ b/drivers/net/wireless/ti/wl1251/cmd.c > @@ -455,8 +455,11 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len, > } > > cmd->params.ssid_len = ssid_len; If you are checking the length, you should also check ssid_len here. > - if (ssid) > - memcpy(cmd->params.ssid, ssid, ssid_len); > + if (ssid) { > + int len = min_t(int, ssid_len, IEEE80211_MAX_SSID_LEN); > + > + memcpy(cmd->params.ssid, ssid, len); > + } Please use clamp_val(). Also another (and IMHO better) way to cleanup this is to provide a pointer to struct cfg80211_ssid, which makes it clear that the length can be trusted and not length checking is not needed. So something like this: int wl1251_cmd_scan(struct wl1251 *wl, const struct cfg80211_ssid *ssid, struct ieee80211_channel *channels[], unsigned int n_channels, unsigned int n_probes)
diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c index 498c8db2eb48..e4d028a53d91 100644 --- a/drivers/net/wireless/ti/wl1251/cmd.c +++ b/drivers/net/wireless/ti/wl1251/cmd.c @@ -455,8 +455,11 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len, } cmd->params.ssid_len = ssid_len; - if (ssid) - memcpy(cmd->params.ssid, ssid, ssid_len); + if (ssid) { + int len = min_t(int, ssid_len, IEEE80211_MAX_SSID_LEN); + + memcpy(cmd->params.ssid, ssid, len); + } ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd)); if (ret < 0) {
Function wl1251_cmd_scan calls memcpy without checking the length. A user could control that length and trigger a buffer overflow. Fix by checking the length is within the maximum allowed size. Signed-off-by: Lee Gibson <leegib@gmail.com> --- drivers/net/wireless/ti/wl1251/cmd.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)