From 70b1e1a8fa1340439f945b5b27490e117dcea353 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 17 Jun 2019 19:25:01 +0100
Subject: [PATCH] mwifiex: Abort at too short BSS descriptor element

---
 debian/changelog                              |  1 +
 ...-at-too-short-bss-descriptor-element.patch | 83 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 85 insertions(+)
 create mode 100644 debian/patches/bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch

diff --git a/debian/changelog b/debian/changelog
index 298675447..675c5406e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,7 @@ linux (4.19.37-4) UNRELEASED; urgency=medium
   * [x86] lockdown,sysrq: Enable ALLOW_LOCKDOWN_LIFT_BY_SYSRQ (Closes: #929583)
   * mwifiex: Fix possible buffer overflows at parsing bss descriptor
     (CVE-2019-3846)
+  * mwifiex: Abort at too short BSS descriptor element
 
   [ Romain Perier ]
   * [rt] Update to 4.19.37-rt20
diff --git a/debian/patches/bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch b/debian/patches/bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch
new file mode 100644
index 000000000..b0ac33338
--- /dev/null
+++ b/debian/patches/bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch
@@ -0,0 +1,83 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 29 May 2019 14:52:20 +0200
+Subject: mwifiex: Abort at too short BSS descriptor element
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit?id=685c9b7750bfacd6fc1db50d86579980593b7869
+
+Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that
+the source descriptor entries contain the enough size for each type
+and performs copying without checking the source size.  This may lead
+to read over boundary.
+
+Fix this by putting the source size check in appropriate places.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index 64ab6fe78c0d..c269a0de9413 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 			break;
+ 
+ 		case WLAN_EID_FH_PARAMS:
++			if (element_len + 2 < sizeof(*fh_param_set))
++				return -EINVAL;
+ 			fh_param_set =
+ 				(struct ieee_types_fh_param_set *) current_ptr;
+ 			memcpy(&bss_entry->phy_param_set.fh_param_set,
+@@ -1277,6 +1279,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 			break;
+ 
+ 		case WLAN_EID_DS_PARAMS:
++			if (element_len + 2 < sizeof(*ds_param_set))
++				return -EINVAL;
+ 			ds_param_set =
+ 				(struct ieee_types_ds_param_set *) current_ptr;
+ 
+@@ -1288,6 +1292,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 			break;
+ 
+ 		case WLAN_EID_CF_PARAMS:
++			if (element_len + 2 < sizeof(*cf_param_set))
++				return -EINVAL;
+ 			cf_param_set =
+ 				(struct ieee_types_cf_param_set *) current_ptr;
+ 			memcpy(&bss_entry->ss_param_set.cf_param_set,
+@@ -1296,6 +1302,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 			break;
+ 
+ 		case WLAN_EID_IBSS_PARAMS:
++			if (element_len + 2 < sizeof(*ibss_param_set))
++				return -EINVAL;
+ 			ibss_param_set =
+ 				(struct ieee_types_ibss_param_set *)
+ 				current_ptr;
+@@ -1305,10 +1313,14 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 			break;
+ 
+ 		case WLAN_EID_ERP_INFO:
++			if (!element_len)
++				return -EINVAL;
+ 			bss_entry->erp_flags = *(current_ptr + 2);
+ 			break;
+ 
+ 		case WLAN_EID_PWR_CONSTRAINT:
++			if (!element_len)
++				return -EINVAL;
+ 			bss_entry->local_constraint = *(current_ptr + 2);
+ 			bss_entry->sensed_11h = true;
+ 			break;
+@@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ 			break;
+ 
+ 		case WLAN_EID_VENDOR_SPECIFIC:
++			if (element_len + 2 < sizeof(vendor_ie->vend_hdr))
++				return -EINVAL;
++
+ 			vendor_ie = (struct ieee_types_vendor_specific *)
+ 					current_ptr;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 29c0bfe21..b9113450f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -218,6 +218,7 @@ bugfix/all/brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
 bugfix/all/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
 bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch
 bugfix/all/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch
+bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch