| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Jun 2021 21:49:16 +0530
From: Anirudh Rayabharam <mail@...rudhrb.com>
To: Johannes Berg <johannes@...solutions.net>,
Kalle Valo <kvalo@...eaurora.org>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>
Cc: gregkh@...uxfoundation.org,
linux-kernel-mentees@...ts.linuxfoundation.org,
Anirudh Rayabharam <mail@...rudhrb.com>,
syzbot+b2645b5bf1512b81fa22@...kaller.appspotmail.com,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] mac80211_hwsim: correctly handle zero length frames
syzbot, using KMSAN, has reported an uninit-value access in
hwsim_cloned_frame_received_nl(). This is happening because frame_data_len
is 0. The code doesn't detect this case and blindly tries to read the
frame's header.
Fix this by bailing out in case frame_data_len is 0.
Reported-by: syzbot+b2645b5bf1512b81fa22@...kaller.appspotmail.com
Tested-by: syzbot+b2645b5bf1512b81fa22@...kaller.appspotmail.com
Signed-off-by: Anirudh Rayabharam <mail@...rudhrb.com>
---
drivers/net/wireless/mac80211_hwsim.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 51ce767eaf88..ccfe40313109 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -3649,7 +3649,7 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
if (skb == NULL)
goto err;
- if (frame_data_len > IEEE80211_MAX_DATA_LEN)
+ if (frame_data_len == 0 || frame_data_len > IEEE80211_MAX_DATA_LEN)
goto err;
/* Copy the data */
--
2.26.2
Powered by blists - more mailing lists