lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1571402142.1994.6.camel@realtek.com>
Date:   Fri, 18 Oct 2019 12:35:43 +0000
From:   Pkshih <pkshih@...ltek.com>
To:     "labbott@...hat.com" <labbott@...hat.com>,
        "kvalo@...eaurora.org" <kvalo@...eaurora.org>
CC:     "linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "nico@...mle.com" <nico@...mle.com>
Subject: Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

On Fri, 2019-10-18 at 07:43 -0400, Laura Abbott wrote:
> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
> 
> Reported-by: Nicolas Waisman <nico@...mle.com>
> Signed-off-by: Laura Abbott <labbott@...hat.com>

Acked-by: Ping-Ke Shih <pkshih@...ltek.com>
and Please CC to stable
Cc: Stable <stable@...r.kernel.org> # 4.4+

---

Hi Kalle,

This bug was existing since v3.10, and directory of wireless drivers were
moved at v4.4. Do I need send another patch to fix this issue for longterm
kernel v3.16.75?

Thanks
PK


> ---
> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
> ---
>  drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c
> b/drivers/net/wireless/realtek/rtlwifi/ps.c
> index 70f04c2f5b17..fff8dda14023 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void
> *data,
>  				return;
>  			} else {
>  				noa_num = (noa_len - 2) / 13;
> +				if (noa_num > P2P_MAX_NOA_NUM)
> +					noa_num = P2P_MAX_NOA_NUM;
> +
>  			}
>  			noa_index = ie[3];
>  			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw,
> void *data,
>  				return;
>  			} else {
>  				noa_num = (noa_len - 2) / 13;
> +				if (noa_num > P2P_MAX_NOA_NUM)
> +					noa_num = P2P_MAX_NOA_NUM;
> +
>  			}
>  			noa_index = ie[3];
>  			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ