diff mbox series

wifi: mwifiex: Security: Fix memcpy oobs in mwifiex_set_encode

Message ID 20230706020751.859773-1-pinkperfect2021@gmail.com (mailing list archive)
State Changes Requested
Delegated to: Kalle Valo
Headers show
Series wifi: mwifiex: Security: Fix memcpy oobs in mwifiex_set_encode | expand

Commit Message

Polaris Pi July 6, 2023, 2:07 a.m. UTC 
In cfg80211 flow, when handling userspace netlink messages
if input cipher mode is WLAN_CIPHER_SUITE_SMS4
will make cfg80211_validate_key_settings not check key_len and seq_len
which will cause controllable memcpy overwrite
So needs to check them in mwifiex_set_encode.

Signed-off-by: pinkperfect <pinkperfect2021@gmail.com>
---
 drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Polaris Pi July 8, 2023, 6:48 a.m. UTC | #1 
This patch is false alert, please ignore it. Thanks!
diff mbox series

Patch

diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
index a2ad2b53f016..bddc11eac8a9 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
@@ -1099,6 +1099,11 @@  int mwifiex_set_encode(struct mwifiex_private *priv, struct key_params *kp,
 {
 	struct mwifiex_ds_encrypt_key encrypt_key;
 
+	if (key_len > WLAN_MAX_KEY_LEN || (kp && kp->seq_len > PN_LEN)) {
+		mwifiex_dbg(priv->adapter, ERROR, "invalid parameters");
+		return -1;
+	}
+
 	memset(&encrypt_key, 0, sizeof(encrypt_key));
 	encrypt_key.key_len = key_len;
 	encrypt_key.key_index = key_index;