release/5.2.39/mwifiex-Fix-possible-buffer-overflows-in-mwifiex_ret.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 9da65b843f2a503240032db46c0379e7260a361a Mon Sep 17 00:00:00 2001
 From: Qing Xu <m1s5p6688@gmail.com>
 Date: Thu, 2 Jan 2020 10:39:26 +0800
 Subject: [PATCH] mwifiex: Fix possible buffer overflows in
  mwifiex_ret_wmm_get_status()

 commit 3a9b153c5591548612c3955c9600a98150c81875 upstream.

 mwifiex_ret_wmm_get_status() calls memcpy() without checking the
 destination size.Since the source is given from remote AP which
 contains illegal wmm elements , this may trigger a heap buffer
 overflow.
 Fix it by putting the length check before calling memcpy().

 Signed-off-by: Qing Xu <m1s5p6688@gmail.com>
 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/drivers/net/wireless/marvell/mwifiex/wmm.c b/drivers/net/wireless/marvell/mwifiex/wmm.c
 index 64916ba15df5..429ea2752e6a 100644
 --- a/drivers/net/wireless/marvell/mwifiex/wmm.c
 +++ b/drivers/net/wireless/marvell/mwifiex/wmm.c
 @@ -977,6 +977,10 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private *priv,
  				    "WMM Parameter Set Count: %d\n",
  				    wmm_param_ie->qos_info_bitmap & mask);

 +			if (wmm_param_ie->vend_hdr.len + 2 >
 +				sizeof(struct ieee_types_wmm_parameter))
 +				break;
 +
  			memcpy((u8 *) &priv->curr_bss_params.bss_descriptor.
  			       wmm_ie, wmm_param_ie,
  			       wmm_param_ie->vend_hdr.len + 2);
 --
 2.7.4
	From 9da65b843f2a503240032db46c0379e7260a361a Mon Sep 17 00:00:00 2001
	From: Qing Xu <m1s5p6688@gmail.com>
	Date: Thu, 2 Jan 2020 10:39:26 +0800
	Subject: [PATCH] mwifiex: Fix possible buffer overflows in
	mwifiex_ret_wmm_get_status()

	commit 3a9b153c5591548612c3955c9600a98150c81875 upstream.

	mwifiex_ret_wmm_get_status() calls memcpy() without checking the
	destination size.Since the source is given from remote AP which
	contains illegal wmm elements , this may trigger a heap buffer
	overflow.
	Fix it by putting the length check before calling memcpy().

	Signed-off-by: Qing Xu <m1s5p6688@gmail.com>
	Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/drivers/net/wireless/marvell/mwifiex/wmm.c b/drivers/net/wireless/marvell/mwifiex/wmm.c
	index 64916ba15df5..429ea2752e6a 100644
	--- a/drivers/net/wireless/marvell/mwifiex/wmm.c
	+++ b/drivers/net/wireless/marvell/mwifiex/wmm.c
	@@ -977,6 +977,10 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private *priv,
	"WMM Parameter Set Count: %d\n",
	wmm_param_ie->qos_info_bitmap & mask);

	+ if (wmm_param_ie->vend_hdr.len + 2 >
	+ sizeof(struct ieee_types_wmm_parameter))
	+ break;
	+
	memcpy((u8 *) &priv->curr_bss_params.bss_descriptor.
	wmm_ie, wmm_param_ie,
	wmm_param_ie->vend_hdr.len + 2);
	--
	2.7.4