| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 5 Jul 2023 04:43:50 +0000
From: pinkperfect <pinkperfect2021@...il.com>
To: amitkarwar@...il.com, kvalo@...nel.org
Cc: linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org,
pinkperfect <pinkperfect2021@...il.com>
Subject: [PATCH] wifi: mwifiex: Fix integer underflow in mwifiex_process_mgmt_packet
In outside functions have checked upper limit of rx_pkt_length,
in mwifiex_process_mgmt_packet should make sure rx_pkt_length not underflow
to avoid OOB access.
Signed-off-by: pinkperfect <pinkperfect2021@...il.com>
---
drivers/net/wireless/marvell/mwifiex/util.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/util.c b/drivers/net/wireless/marvell/mwifiex/util.c
index 94c2d219835d..4291252e06ea 100644
--- a/drivers/net/wireless/marvell/mwifiex/util.c
+++ b/drivers/net/wireless/marvell/mwifiex/util.c
@@ -399,6 +399,11 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv,
pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
+ if (pkt_len < sizeof(struct ieee80211_hdr)) {
+ mwifiex_dbg(priv->adapter, ERROR, "invalid rx_pkt_length");
+ return -1;
+ }
+
ieee_hdr = (void *)skb->data;
if (ieee80211_is_mgmt(ieee_hdr->frame_control)) {
if (mwifiex_parse_mgmt_packet(priv, (u8 *)ieee_hdr,
--
2.25.1
Powered by blists - more mailing lists