From patchwork Thu Nov 7 20:16:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lee Jones X-Patchwork-Id: 178831 Delivered-To: patch@linaro.org Received: by 2002:a92:38d5:0:0:0:0:0 with SMTP id g82csp1581769ilf; Thu, 7 Nov 2019 12:17:42 -0800 (PST) X-Google-Smtp-Source: APXvYqzp3NQqI5ZRpdQEl2Q4FWOydwvPywCx1eyFV+mfuFcEhh+YUQZXC+eXmw4RqzWsEUsKWhuM X-Received: by 2002:a17:906:c801:: with SMTP id cx1mr5079841ejb.266.1573157861894; Thu, 07 Nov 2019 12:17:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573157861; cv=none; d=google.com; s=arc-20160816; b=etz2SnF4TBFYnG8OhbB/YwxjQEXW502waiwt6CSnfv6rVO7E/HDj2UWL2PRxzDrhcG 4b5gh8A81H78g29pIpc4ovOQYAYpB7zcV8AQIeydFhYzY9vJGbyzcz6jTfIb70349QZF i9ukDWoGLGktyFQAOC2tSE/Gmk5Int2PfGbnBVVazdelDrZaq4M1V5YH6QZGPdviL8DE 0cwxti2Q3ONf5t6Bt8RMwQODIpR7vmnKqGJ+zy3xy7lacyX+nUP4Ytb/krCh8Wafl8/C prT4Yr8OkV/MsF1e5UKGQd1dSOfzJlxS0d73izziQr0YQx1qrIS5hFA7tEEj7s55PhJM s5fA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=CmH4Sn1DdXunw1TL7f6sfjm3qJQSjiedEKITkUOQrRc=; b=jkmn+IJdSrCvUTPcMJjp/4oXfDhs9MibxF4qpy6wJsCN4UKZa67Ok3Xt6yWR+VmoUJ tDKBk4AQdMZlpN40tUeeWHeMrk2aOIYTy37Cinc75AgDEDBYiZaMyEIed0b6VNUZsKHp 7gtDUqKY3GFIG1gOM8qEhTMB6X8i9+Rqr6vpqCvmlaqnwo86AdYLvbtKLNApePYH9KGg CAFqXn8UvhyiFsAUGyAgk5C4qgs+j5hekWDjY7FCXyPwTzhi9/RCmjKMRXymN/kHt5w+ /fD4Iuw4Oy4rdHn0LEOvlJi+YdOTXwAfDhyej9X+zq8hN8HXt6uPZBfPGA0k7UjStiKN CnVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dD3bgNfB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f3si2137345ejb.49.2019.11.07.12.17.41; Thu, 07 Nov 2019 12:17:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dD3bgNfB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727493AbfKGURk (ORCPT + 26 others); Thu, 7 Nov 2019 15:17:40 -0500 Received: from mail-wr1-f65.google.com ([209.85.221.65]:36339 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726192AbfKGURL (ORCPT ); Thu, 7 Nov 2019 15:17:11 -0500 Received: by mail-wr1-f65.google.com with SMTP id r10so4580323wrx.3 for ; Thu, 07 Nov 2019 12:17:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=CmH4Sn1DdXunw1TL7f6sfjm3qJQSjiedEKITkUOQrRc=; b=dD3bgNfBay8ldyW/wTKnzuDbWLyYPl9wqdt360DazEyPc+zkaFEvjjAwZyme4xR0of YpzlFpdOVt3HEMliEp/pzdVcFPBNpdytncF4Mnrngda/K/Ld7QSO6/a5msBWe6RUpvYx jrYL9k5TKCXxTFJDavRz87FW6ZKZetilAcNBwA7eLMXLNa6YdAd3voAmhH6N45aBPCV3 HkOLWYaR4oOjExVV56NiTL1VfZtLQwCfqXS2BY5KNyADh4EtxQ4spV73b/174e8p66Ke kggAjzd1S+7PqyV2pUBZZBeJ1sFY+KSFYMRgV+TnSPU79hEDxckUOpSe3KnWRfUacQya mgDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=CmH4Sn1DdXunw1TL7f6sfjm3qJQSjiedEKITkUOQrRc=; b=SJC2BOTT0QQ3UDsjIcgCb0Mz8VsEFloDiabiFwui7/2Xpe/73CSLd6DOfUlFvfYk46 4nxoMIoUv+vwzbdbit5Fo3U59/LAhvZDGX5m4flivZdv6QI38AKqYIxXhE57UgtJjj2c wKNG1TieIYcUnRmuC1oRBzyq4XiEzvHmvEY+3ZEqtpzHw1VAIPCtCT0Flc0jMQNpw6ug U7VGxLyM9mq9vHBYsHIh/6SQS+kF/Tn5rojZvt8zk7YEY52rdChLLGkL31KT8ZZI+HPq gXUfPcbdupAhh6tbhhMY16wrDM0t9GhyjB0QhNC2tt6uyt6+PHtC6UA0724+6Y1cHjDL 8EPg== X-Gm-Message-State: APjAAAVsQv34gDMzgRK2F/VHPtvT34tFLVaAGoa7HZyMDYNYtW7UCiPF eKgWnix3mTG+9a8quK6Axgy8sA== X-Received: by 2002:adf:8123:: with SMTP id 32mr5012062wrm.300.1573157829246; Thu, 07 Nov 2019 12:17:09 -0800 (PST) Received: from localhost.localdomain ([95.147.198.88]) by smtp.gmail.com with ESMTPSA id d11sm3215162wrn.28.2019.11.07.12.17.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Nov 2019 12:17:08 -0800 (PST) From: Lee Jones To: gregkh@google.com Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Takashi Iwai , Kalle Valo , Sasha Levin , Lee Jones Subject: [PATCH 04/10] mwifiex: Abort at too short BSS descriptor element Date: Thu, 7 Nov 2019 20:16:56 +0000 Message-Id: <20191107201702.27023-4-lee.jones@linaro.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191107201702.27023-1-lee.jones@linaro.org> References: <20191107201702.27023-1-lee.jones@linaro.org> MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai [ Upstream commit 685c9b7750bfacd6fc1db50d86579980593b7869 ] Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that the source descriptor entries contain the enough size for each type and performs copying without checking the source size. This may lead to read over boundary. Fix this by putting the source size check in appropriate places. Signed-off-by: Takashi Iwai Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin Signed-off-by: Lee Jones Change-Id: I8812db5f71b733e14573cacb6136e8a1a23036df --- drivers/net/wireless/mwifiex/scan.c | 3 +++ 1 file changed, 3 insertions(+) -- 2.24.0 diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c index 81a50d8af370..cff755475bc0 100644 --- a/drivers/net/wireless/mwifiex/scan.c +++ b/drivers/net/wireless/mwifiex/scan.c @@ -1296,6 +1296,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, break; case WLAN_EID_VENDOR_SPECIFIC: + if (element_len + 2 < sizeof(vendor_ie->vend_hdr)) + return -EINVAL; + vendor_ie = (struct ieee_types_vendor_specific *) current_ptr;