| From 260a9ad9446723d4063ed802989758852809714d Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Wed, 14 Apr 2021 11:29:55 +0300 |
| Subject: ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit 260a9ad9446723d4063ed802989758852809714d upstream. |
| |
| The "ext->key_len" is a u16 that comes from the user. If it's over |
| SCM_KEY_LEN (32) that could lead to memory corruption. |
| |
| Fixes: e0d369d1d969 ("[PATCH] ieee82011: Added WE-18 support to default wireless extension handler") |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Acked-by: Stanislav Yakovlev <stas.yakovlev@gmail.com> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Link: https://lore.kernel.org/r/YHaoA1i+8uT4ir4h@mwanda |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/net/wireless/intel/ipw2x00/libipw_wx.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/net/wireless/intel/ipw2x00/libipw_wx.c |
| +++ b/drivers/net/wireless/intel/ipw2x00/libipw_wx.c |
| @@ -649,8 +649,10 @@ int libipw_wx_set_encodeext(struct libip |
| } |
| |
| if (ext->alg != IW_ENCODE_ALG_NONE) { |
| - memcpy(sec.keys[idx], ext->key, ext->key_len); |
| - sec.key_sizes[idx] = ext->key_len; |
| + int key_len = clamp_val(ext->key_len, 0, SCM_KEY_LEN); |
| + |
| + memcpy(sec.keys[idx], ext->key, key_len); |
| + sec.key_sizes[idx] = key_len; |
| sec.flags |= (1 << idx); |
| if (ext->alg == IW_ENCODE_ALG_WEP) { |
| sec.encode_alg[idx] = SEC_ALG_WEP; |