From patchwork Thu Jan 2 02:39:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: m1s5p6688@gmail.com X-Patchwork-Id: 11315253 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BEDFA138D for ; Thu, 2 Jan 2020 02:40:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9CADE21655 for ; Thu, 2 Jan 2020 02:40:09 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hqrKplcT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727554AbgABCkJ (ORCPT ); Wed, 1 Jan 2020 21:40:09 -0500 Received: from mail-pj1-f65.google.com ([209.85.216.65]:36524 "EHLO mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727509AbgABCkI (ORCPT ); Wed, 1 Jan 2020 21:40:08 -0500 Received: by mail-pj1-f65.google.com with SMTP id n59so2742660pjb.1 for ; Wed, 01 Jan 2020 18:40:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=U82gOUx2iPpX7MQb6sqEW0FhEcnhIyIP1xR2fom0214=; b=hqrKplcTN4Xj5PJL11Nm8DMcG8swCfN/a6b9aYVGJvUhxNmyjj9mKJyguR2ziikIs5 7mAJ1d6JaOpGqz9fUPXaRf3sp4538oIzAkoBv4MDpmLmlQzqqM1VCVaZJ/5wna59nqZl KPve60sDRbp36ol125BNIoo8QaaG7z5VbVWclmsJsGDvn5TrVNQVZGzK9PfDlsfKF/ww HFh9BMLpzgOgWJfPcuIK2DkB57flRtjvGZkuv484q1VCyHxVwTUK0K5rzaeiZd4YfIsw ZcfN0PMbD47ZSE0ZCEkeZdD3fzIbg8uuhJIY4ej3UIOObmI36psG+uJZhgCG5mwNAKag 4ugQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=U82gOUx2iPpX7MQb6sqEW0FhEcnhIyIP1xR2fom0214=; b=oBqKLTk4UDIOVv+O0MZkmaTaUra6ak9MJi5eTP9uPquRVoWVTnAyMnmSqQVVVoH0Mn TAbyjtvjkr/nYfjDZvj3riy8lC7YwaRAR0LFh/JMSnZDxEY4zXDPQ7V2xHqACu9ClDSq 2gVh3DG6MCXiove53o9+lJYKWE8Bv79m++xnEaGagbt95pnLIOuluHB4qC5tRiYHyaDQ OncmvdWTxogerK8mpBxRrUlKpQloIDrKG/Oac6Dk/o9nFA+sCoqi3zhpmBoOZgWNEOZ+ 5RRCZ7ft8jVTiQIQBLApSlsa16vdatFBVkQnuxM1lZz12krCl0PQ6hF2JzKanR5Cm6cN V9kg== X-Gm-Message-State: APjAAAXgEX40CpzjHLtwdMqP4Msxc1FL1DXNE9AIp+NL/81IGGb/8YfS mgJ1s7AViiZdFxwMfC8+cQzEUFB0Wl4= X-Google-Smtp-Source: APXvYqxxvpzb1LCEfXBTgbbzUA9EnR+GxxKLW9BZyZdAVH1NB/4vYxX14X3My76g2OWf9do4nZzSaA== X-Received: by 2002:a17:902:8d95:: with SMTP id v21mr82623879plo.61.1577932807986; Wed, 01 Jan 2020 18:40:07 -0800 (PST) Received: from localhost (172.96.199.36.16clouds.com. [172.96.199.36]) by smtp.gmail.com with ESMTPSA id f127sm63410930pfa.112.2020.01.01.18.40.07 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 01 Jan 2020 18:40:07 -0800 (PST) From: m1s5p6688@gmail.com To: linux-wireless@vger.kernel.org Cc: amitkarwar@gmail.com, nishants@marvell.com, gbhat@marvell.com, huxinming820@gmail.com Subject: [PATCH 1/2] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Date: Thu, 2 Jan 2020 10:39:26 +0800 Message-Id: <20200102023927.4687-2-m1s5p6688@gmail.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200102023927.4687-1-m1s5p6688@gmail.com> References: <20200102023927.4687-1-m1s5p6688@gmail.com> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Qing Xu mwifiex_ret_wmm_get_status() calls memcpy() without checking the destination size.Since the source is given from remote AP which contains illegal wmm elements , this may trigger a heap buffer overflow. Fix it by putting the length check before calling memcpy(). Signed-off-by: Qing Xu --- drivers/net/wireless/marvell/mwifiex/wmm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/wmm.c b/drivers/net/wireless/marvell/mwifiex/wmm.c index 41f023137..132f9e8ed 100644 --- a/drivers/net/wireless/marvell/mwifiex/wmm.c +++ b/drivers/net/wireless/marvell/mwifiex/wmm.c @@ -970,6 +970,10 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private *priv, "WMM Parameter Set Count: %d\n", wmm_param_ie->qos_info_bitmap & mask); + if (wmm_param_ie->vend_hdr.len + 2 > + sizeof(struct ieee_types_wmm_parameter)) + break; + memcpy((u8 *) &priv->curr_bss_params.bss_descriptor. wmm_ie, wmm_param_ie, wmm_param_ie->vend_hdr.len + 2); From patchwork Thu Jan 2 02:39:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: m1s5p6688@gmail.com X-Patchwork-Id: 11315255 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 30DB5109A for ; Thu, 2 Jan 2020 02:40:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0FEFD215A4 for ; Thu, 2 Jan 2020 02:40:20 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lMeMeKCs" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727556AbgABCkT (ORCPT ); Wed, 1 Jan 2020 21:40:19 -0500 Received: from mail-pf1-f194.google.com ([209.85.210.194]:35152 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727509AbgABCkT (ORCPT ); Wed, 1 Jan 2020 21:40:19 -0500 Received: by mail-pf1-f194.google.com with SMTP id i23so15964692pfo.2 for ; Wed, 01 Jan 2020 18:40:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ik4sUnxhF0DvP7haKsqS0HABbUNO8O83AVhO2/FQ10M=; b=lMeMeKCsrEMuYCeD0WWS1FJTx2/+GoLXKrFPpyqN1OQx7VUn8YT2OYccNYm3pK65H/ EBLvvTGlwFiDwyaISH7TUP9cQA4OJ7YZxzkFnDE4GTP4rsjXlfixKV0gyEitv/pgGzFJ M+JEspwAwMN7j4KgQTRU9TP8u/IaIerPyqTeCPViZKkM9S183RSEhCHsQIea5U1DeXoh lzqSO+vbCIcDnAms8/9w48baU5OZh7nl3t1qlwo5o19OSKafbWQDGomsBIsNRoaOFrkY 9nHW+TJtU0P4K31F//lei5QutO8JY9rvXOsqGMySH+Yz4X+9tbX8o8UuO7NQIZwt4Nc6 HZZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ik4sUnxhF0DvP7haKsqS0HABbUNO8O83AVhO2/FQ10M=; b=ayW9lDMHQhPvOfzD0xDGH03OQVjGaZ9snBus6H4Y58jv7LlZIHgLUl5aJ0iTRxkFqc Oog7GAiaTaL9MVMJo6wps6pdwX1jWvIDYZFv6KjRCfTIjvakKqiL19QDxbpM6L50mgVg 2mPkcIqc1zZgFqmX/YCdmLIaecmIv8WE4vBqhZ4NCl3ExiHMNJVO/YJnTYvnbHSutBzU 7fs9LHrDfp1RF1xujBgad1mtpVm6651Qfbmy193x+OtwNwWd9t04R1iSGpDtBTjgMyn3 OrkEq4oGl3a8U3OmaxXvo/ihLneo9D7pbbVHtYBcHfRWbZy0JCetc3d7Jas/3+QePpax ilFA== X-Gm-Message-State: APjAAAU0YfZ2Fgd94rRCYBvgFGjOBdOrJmxEmf7SgsXlnD8V9UkpVFP8 9QglYGyRhOZ3fgcCB4HrqDCzfjfJMbk= X-Google-Smtp-Source: APXvYqxNlITRUGqHlC8YWSDIPjshda6Mt4Va9JGL/9mmKzbKM3Ev4R2BEPOp/8aZontloZTEAWE3wg== X-Received: by 2002:a65:5a8f:: with SMTP id c15mr78552185pgt.259.1577932818273; Wed, 01 Jan 2020 18:40:18 -0800 (PST) Received: from localhost (172.96.199.36.16clouds.com. [172.96.199.36]) by smtp.gmail.com with ESMTPSA id w11sm56214288pgs.60.2020.01.01.18.40.17 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 01 Jan 2020 18:40:17 -0800 (PST) From: m1s5p6688@gmail.com To: linux-wireless@vger.kernel.org Cc: amitkarwar@gmail.com, nishants@marvell.com, gbhat@marvell.com, huxinming820@gmail.com Subject: [PATCH 2/2] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Date: Thu, 2 Jan 2020 10:39:27 +0800 Message-Id: <20200102023927.4687-3-m1s5p6688@gmail.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200102023927.4687-1-m1s5p6688@gmail.com> References: <20200102023927.4687-1-m1s5p6688@gmail.com> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Qing Xu mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. Fix it by putting the length check before calling memcpy(). Signed-off-by: Qing Xu --- drivers/net/wireless/marvell/mwifiex/scan.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c index 98f942b79..a7968a84a 100644 --- a/drivers/net/wireless/marvell/mwifiex/scan.c +++ b/drivers/net/wireless/marvell/mwifiex/scan.c @@ -2884,6 +2884,13 @@ mwifiex_cmd_append_vsie_tlv(struct mwifiex_private *priv, vs_param_set->header.len = cpu_to_le16((((u16) priv->vs_ie[id].ie[1]) & 0x00FF) + 2); + if (le16_to_cpu(vs_param_set->header.len) > + MWIFIEX_MAX_VSIE_LEN) { + mwifiex_dbg(priv->adapter, ERROR, + "Invalid param length!\n"); + break; + } + memcpy(vs_param_set->ie, priv->vs_ie[id].ie, le16_to_cpu(vs_param_set->header.len)); *buffer += le16_to_cpu(vs_param_set->header.len) +