From patchwork Mon Apr 19 14:58:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lee Gibson X-Patchwork-Id: 425009 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6DA7C433B4 for ; Mon, 19 Apr 2021 14:58:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BE21F61284 for ; Mon, 19 Apr 2021 14:58:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239292AbhDSO7Z (ORCPT ); Mon, 19 Apr 2021 10:59:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52976 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238544AbhDSO7Y (ORCPT ); Mon, 19 Apr 2021 10:59:24 -0400 Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C352AC06174A; Mon, 19 Apr 2021 07:58:54 -0700 (PDT) Received: by mail-ed1-x52d.google.com with SMTP id s15so41111131edd.4; Mon, 19 Apr 2021 07:58:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=WlmAetOa+5HxYf4TDISXX8Ux6wlKUWMqhMG/15ITEcw=; b=rj5ZewnpyD6W7aY3RDAuVO+SqM/hZvLXofs/Q0qLua1KnTiDz7qncKFueri2n8gxkq yGi8DNm2qLymf707ZT8rbH8KEpHMUTjEpxwyTp+QiVIZNRdwD4LimUNybiLZNu0EUImY r+15ue+FrTSD/DGhGBudKaxHLWB+nreqGSueRcgynLEUVex6+HLRGCu2Y6kLtqD5dW4V wt8LouLgpxGbodrtRAB08oiHavXTrjuK+7UQ4OJ8k8+8cX67PJjKz7dVT/z0Hu9eawdB TCihriwcM0nJxvjnHoxMmISUarwK+lcS/+91ZkWJN48JGdMQDc/4HhwU1svEeqAlTiye Rfhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WlmAetOa+5HxYf4TDISXX8Ux6wlKUWMqhMG/15ITEcw=; b=FZiwVR9EygWpYQOSjJhm9S1dNUExQ2MSd1aKEQ0lbjCfvpDJpREjc3DLE30SXfllSL +vWwdbiY/7ypwAFSgSfjDGJN5q6jODVaWEEmyrHYg6OAmKc8Cq7VvyBbiEO4xDWHS0A+ tR5LZTv/AQJFZpGgNLjopHAjT2pH7JrEG/cxUDGXlUcfAbHKOf+dyqyzm8jlHg/tyY4X JJavZPqQpgXfTHBE8fbw+bIl4hkCkI/NXLrgpP9tWFnMYDZoq7ffh8BpdqO11lDsYe/L zrUY3mwkEx5XkgGI8u2q2+HbHyNebzAYukiC+4jH0llgDP9zXYRahS+qhF7M9cbjxsqi eE4Q== X-Gm-Message-State: AOAM531dON848FKBhphxqBXRgVzPn8+vSkDTuERRHBRsf78Toj/k/j26 HyO/JTKt0xKIK4U8sL6ArSk= X-Google-Smtp-Source: ABdhPJwDY2Exw6txlnSA9y+hQTpW93E8rqswX/sRBG4MQC5YRxy+oQ462t2AuOt8oxT9+p1KoYwZNA== X-Received: by 2002:aa7:c391:: with SMTP id k17mr8156426edq.153.1618844333512; Mon, 19 Apr 2021 07:58:53 -0700 (PDT) Received: from ubuntudesktop.lan (210.53.7.51.dyn.plus.net. [51.7.53.210]) by smtp.gmail.com with ESMTPSA id l14sm1529578edc.0.2021.04.19.07.58.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Apr 2021 07:58:52 -0700 (PDT) From: Lee Gibson To: kvalo@codeaurora.org Cc: imitsyanko@quantenna.com, davem@davemloft.net, kuba@kernel.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Lee Gibson Subject: [PATCH v2] qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth Date: Mon, 19 Apr 2021 15:58:42 +0100 Message-Id: <20210419145842.345787-1-leegib@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210317121706.389058-1-leegib@gmail.com> References: <20210317121706.389058-1-leegib@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Function qtnf_event_handle_external_auth calls memcpy without checking the length. A user could control that length and trigger a buffer overflow. Fix by checking the length is within the maximum allowed size. Signed-off-by: Lee Gibson --- v2: use clamp_val() instead of min_t() drivers/net/wireless/quantenna/qtnfmac/event.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/quantenna/qtnfmac/event.c b/drivers/net/wireless/quantenna/qtnfmac/event.c index c775c177933b..8dc80574d08d 100644 --- a/drivers/net/wireless/quantenna/qtnfmac/event.c +++ b/drivers/net/wireless/quantenna/qtnfmac/event.c @@ -570,8 +570,10 @@ qtnf_event_handle_external_auth(struct qtnf_vif *vif, return 0; if (ev->ssid_len) { - memcpy(auth.ssid.ssid, ev->ssid, ev->ssid_len); - auth.ssid.ssid_len = ev->ssid_len; + int len = clamp_val(ev->ssid_len, 0, IEEE80211_MAX_SSID_LEN); + + memcpy(auth.ssid.ssid, ev->ssid, len); + auth.ssid.ssid_len = len; } auth.key_mgmt_suite = le32_to_cpu(ev->akm_suite);