mwifiex: Abort at too short BSS descriptor element
This commit is contained in:
parent
54fa813858
commit
70b1e1a8fa
|
@ -10,6 +10,7 @@ linux (4.19.37-4) UNRELEASED; urgency=medium
|
|||
* [x86] lockdown,sysrq: Enable ALLOW_LOCKDOWN_LIFT_BY_SYSRQ (Closes: #929583)
|
||||
* mwifiex: Fix possible buffer overflows at parsing bss descriptor
|
||||
(CVE-2019-3846)
|
||||
* mwifiex: Abort at too short BSS descriptor element
|
||||
|
||||
[ Romain Perier ]
|
||||
* [rt] Update to 4.19.37-rt20
|
||||
|
|
83
debian/patches/bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch
vendored
Normal file
83
debian/patches/bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch
vendored
Normal file
|
@ -0,0 +1,83 @@
|
|||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Wed, 29 May 2019 14:52:20 +0200
|
||||
Subject: mwifiex: Abort at too short BSS descriptor element
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit?id=685c9b7750bfacd6fc1db50d86579980593b7869
|
||||
|
||||
Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that
|
||||
the source descriptor entries contain the enough size for each type
|
||||
and performs copying without checking the source size. This may lead
|
||||
to read over boundary.
|
||||
|
||||
Fix this by putting the source size check in appropriate places.
|
||||
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||||
---
|
||||
drivers/net/wireless/marvell/mwifiex/scan.c | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
|
||||
diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
|
||||
index 64ab6fe78c0d..c269a0de9413 100644
|
||||
--- a/drivers/net/wireless/marvell/mwifiex/scan.c
|
||||
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
|
||||
@@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
|
||||
break;
|
||||
|
||||
case WLAN_EID_FH_PARAMS:
|
||||
+ if (element_len + 2 < sizeof(*fh_param_set))
|
||||
+ return -EINVAL;
|
||||
fh_param_set =
|
||||
(struct ieee_types_fh_param_set *) current_ptr;
|
||||
memcpy(&bss_entry->phy_param_set.fh_param_set,
|
||||
@@ -1277,6 +1279,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
|
||||
break;
|
||||
|
||||
case WLAN_EID_DS_PARAMS:
|
||||
+ if (element_len + 2 < sizeof(*ds_param_set))
|
||||
+ return -EINVAL;
|
||||
ds_param_set =
|
||||
(struct ieee_types_ds_param_set *) current_ptr;
|
||||
|
||||
@@ -1288,6 +1292,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
|
||||
break;
|
||||
|
||||
case WLAN_EID_CF_PARAMS:
|
||||
+ if (element_len + 2 < sizeof(*cf_param_set))
|
||||
+ return -EINVAL;
|
||||
cf_param_set =
|
||||
(struct ieee_types_cf_param_set *) current_ptr;
|
||||
memcpy(&bss_entry->ss_param_set.cf_param_set,
|
||||
@@ -1296,6 +1302,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
|
||||
break;
|
||||
|
||||
case WLAN_EID_IBSS_PARAMS:
|
||||
+ if (element_len + 2 < sizeof(*ibss_param_set))
|
||||
+ return -EINVAL;
|
||||
ibss_param_set =
|
||||
(struct ieee_types_ibss_param_set *)
|
||||
current_ptr;
|
||||
@@ -1305,10 +1313,14 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
|
||||
break;
|
||||
|
||||
case WLAN_EID_ERP_INFO:
|
||||
+ if (!element_len)
|
||||
+ return -EINVAL;
|
||||
bss_entry->erp_flags = *(current_ptr + 2);
|
||||
break;
|
||||
|
||||
case WLAN_EID_PWR_CONSTRAINT:
|
||||
+ if (!element_len)
|
||||
+ return -EINVAL;
|
||||
bss_entry->local_constraint = *(current_ptr + 2);
|
||||
bss_entry->sensed_11h = true;
|
||||
break;
|
||||
@@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
|
||||
break;
|
||||
|
||||
case WLAN_EID_VENDOR_SPECIFIC:
|
||||
+ if (element_len + 2 < sizeof(vendor_ie->vend_hdr))
|
||||
+ return -EINVAL;
|
||||
+
|
||||
vendor_ie = (struct ieee_types_vendor_specific *)
|
||||
current_ptr;
|
||||
|
|
@ -218,6 +218,7 @@ bugfix/all/brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
|
|||
bugfix/all/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
|
||||
bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch
|
||||
bugfix/all/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch
|
||||
bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue