| From 9da65b843f2a503240032db46c0379e7260a361a Mon Sep 17 00:00:00 2001 |
| From: Qing Xu <m1s5p6688@gmail.com> |
| Date: Thu, 2 Jan 2020 10:39:26 +0800 |
| Subject: [PATCH] mwifiex: Fix possible buffer overflows in |
| mwifiex_ret_wmm_get_status() |
| |
| commit 3a9b153c5591548612c3955c9600a98150c81875 upstream. |
| |
| mwifiex_ret_wmm_get_status() calls memcpy() without checking the |
| destination size.Since the source is given from remote AP which |
| contains illegal wmm elements , this may trigger a heap buffer |
| overflow. |
| Fix it by putting the length check before calling memcpy(). |
| |
| Signed-off-by: Qing Xu <m1s5p6688@gmail.com> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/net/wireless/marvell/mwifiex/wmm.c b/drivers/net/wireless/marvell/mwifiex/wmm.c |
| index 64916ba15df5..429ea2752e6a 100644 |
| --- a/drivers/net/wireless/marvell/mwifiex/wmm.c |
| +++ b/drivers/net/wireless/marvell/mwifiex/wmm.c |
| @@ -977,6 +977,10 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private *priv, |
| "WMM Parameter Set Count: %d\n", |
| wmm_param_ie->qos_info_bitmap & mask); |
| |
| + if (wmm_param_ie->vend_hdr.len + 2 > |
| + sizeof(struct ieee_types_wmm_parameter)) |
| + break; |
| + |
| memcpy((u8 *) &priv->curr_bss_params.bss_descriptor. |
| wmm_ie, wmm_param_ie, |
| wmm_param_ie->vend_hdr.len + 2); |
| -- |
| 2.7.4 |
| |