84 lines
2.9 KiB
Diff
84 lines
2.9 KiB
Diff
From: Takashi Iwai <tiwai@suse.de>
|
|
Date: Wed, 29 May 2019 14:52:20 +0200
|
|
Subject: mwifiex: Abort at too short BSS descriptor element
|
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit?id=685c9b7750bfacd6fc1db50d86579980593b7869
|
|
|
|
Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that
|
|
the source descriptor entries contain the enough size for each type
|
|
and performs copying without checking the source size. This may lead
|
|
to read over boundary.
|
|
|
|
Fix this by putting the source size check in appropriate places.
|
|
|
|
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
|
---
|
|
drivers/net/wireless/marvell/mwifiex/scan.c | 15 +++++++++++++++
|
|
1 file changed, 15 insertions(+)
|
|
|
|
diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
|
|
index 64ab6fe78c0d..c269a0de9413 100644
|
|
--- a/drivers/net/wireless/marvell/mwifiex/scan.c
|
|
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
|
|
@@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
|
|
break;
|
|
|
|
case WLAN_EID_FH_PARAMS:
|
|
+ if (element_len + 2 < sizeof(*fh_param_set))
|
|
+ return -EINVAL;
|
|
fh_param_set =
|
|
(struct ieee_types_fh_param_set *) current_ptr;
|
|
memcpy(&bss_entry->phy_param_set.fh_param_set,
|
|
@@ -1277,6 +1279,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
|
|
break;
|
|
|
|
case WLAN_EID_DS_PARAMS:
|
|
+ if (element_len + 2 < sizeof(*ds_param_set))
|
|
+ return -EINVAL;
|
|
ds_param_set =
|
|
(struct ieee_types_ds_param_set *) current_ptr;
|
|
|
|
@@ -1288,6 +1292,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
|
|
break;
|
|
|
|
case WLAN_EID_CF_PARAMS:
|
|
+ if (element_len + 2 < sizeof(*cf_param_set))
|
|
+ return -EINVAL;
|
|
cf_param_set =
|
|
(struct ieee_types_cf_param_set *) current_ptr;
|
|
memcpy(&bss_entry->ss_param_set.cf_param_set,
|
|
@@ -1296,6 +1302,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
|
|
break;
|
|
|
|
case WLAN_EID_IBSS_PARAMS:
|
|
+ if (element_len + 2 < sizeof(*ibss_param_set))
|
|
+ return -EINVAL;
|
|
ibss_param_set =
|
|
(struct ieee_types_ibss_param_set *)
|
|
current_ptr;
|
|
@@ -1305,10 +1313,14 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
|
|
break;
|
|
|
|
case WLAN_EID_ERP_INFO:
|
|
+ if (!element_len)
|
|
+ return -EINVAL;
|
|
bss_entry->erp_flags = *(current_ptr + 2);
|
|
break;
|
|
|
|
case WLAN_EID_PWR_CONSTRAINT:
|
|
+ if (!element_len)
|
|
+ return -EINVAL;
|
|
bss_entry->local_constraint = *(current_ptr + 2);
|
|
bss_entry->sensed_11h = true;
|
|
break;
|
|
@@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
|
|
break;
|
|
|
|
case WLAN_EID_VENDOR_SPECIFIC:
|
|
+ if (element_len + 2 < sizeof(vendor_ie->vend_hdr))
|
|
+ return -EINVAL;
|
|
+
|
|
vendor_ie = (struct ieee_types_vendor_specific *)
|
|
current_ptr;
|
|
|