lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 19 Oct 2019 15:02:47 -0400
From:   Laura Abbott <labbott@...hat.com>
To:     Kalle Valo <kvalo@...eaurora.org>
Cc:     Ping-Ke Shih <pkshih@...ltek.com>,
        "David S . Miller" <davem@...emloft.net>,
        linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, Nicolas Waisman <nico@...mle.com>
Subject: Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

On 10/19/19 6:51 AM, Kalle Valo wrote:
> Laura Abbott <labbott@...hat.com> writes:
> 
>> Nicolas Waisman noticed that even though noa_len is checked for
>> a compatible length it's still possible to overrun the buffers
>> of p2pinfo since there's no check on the upper bound of noa_num.
>> Bound noa_num against P2P_MAX_NOA_NUM.
>>
>> Reported-by: Nicolas Waisman <nico@...mle.com>
>> Signed-off-by: Laura Abbott <labbott@...hat.com>
>> ---
>> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
>> ---
>>   drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
>>   1 file changed, 6 insertions(+)
>>
>> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
>> index 70f04c2f5b17..fff8dda14023 100644
>> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
>> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
>> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
>>   				return;
>>   			} else {
>>   				noa_num = (noa_len - 2) / 13;
>> +				if (noa_num > P2P_MAX_NOA_NUM)
>> +					noa_num = P2P_MAX_NOA_NUM;
>> +
>>   			}
>>   			noa_index = ie[3];
>>   			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
>> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
>>   				return;
>>   			} else {
>>   				noa_num = (noa_len - 2) / 13;
>> +				if (noa_num > P2P_MAX_NOA_NUM)
>> +					noa_num = P2P_MAX_NOA_NUM;
> 
> IMHO using min() would be cleaner, but I'm fine with this as well. Up to
> you.
> 

I believe the intention is to re-write this anyway so I'd prefer to
just get this in given the uptick this issue seems to have gotten.

Thanks,
Laura

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ