lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 06 Nov 2017 23:03:02 +0000
From:   Ben Hutchings <>
        "Seraphime Kirkovski" <>,
        "Emmanuel Grumbach" <>,
        "Luca Coelho" <>
Subject: [PATCH 3.16 055/294] iwlwifi: dvm: prevent an out of bounds access

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.


From: Emmanuel Grumbach <>

commit 0b0f934e92a8eaed2e6c48a50eae6f84661f74f3 upstream.

iwlagn_check_ratid_empty takes the tid as a parameter, but
it doesn't check that it is not IWL_TID_NON_QOS.
Since IWL_TID_NON_QOS = 8 and iwl_priv::tid_data is an array
with 8 entries, accessing iwl_priv::tid_data[IWL_TID_NON_QOS]
is a bad idea.
This happened in iwlagn_rx_reply_tx. Since
iwlagn_check_ratid_empty is relevant only to check whether
we can open A-MPDU, this flow is irrelevant if tid is
IWL_TID_NON_QOS. Call iwlagn_check_ratid_empty only inside
	if (tid != IWL_TID_NON_QOS)

a few lines earlier in the function.

Reported-by: Seraphime Kirkovski <>
Tested-by: Seraphime Kirkovski <>
Signed-off-by: Emmanuel Grumbach <>
Signed-off-by: Luca Coelho <>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <>
 drivers/net/wireless/iwlwifi/dvm/tx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/iwlwifi/dvm/tx.c
+++ b/drivers/net/wireless/iwlwifi/dvm/tx.c
@@ -1190,11 +1190,11 @@ int iwlagn_rx_reply_tx(struct iwl_priv *
 			IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n",
+			iwlagn_check_ratid_empty(priv, sta_id, tid);
 		iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs);
-		iwlagn_check_ratid_empty(priv, sta_id, tid);
 		freed = 0;
 		/* process frames */

Powered by blists - more mailing lists