| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230706020751.859773-1-pinkperfect2021@gmail.com>
Date: Thu, 6 Jul 2023 02:07:51 +0000
From: pinkperfect <pinkperfect2021@...il.com>
To: amitkarwar@...il.com, kvalo@...nel.org, ganapathi017@...il.com,
sharvari.harisangam@....com, huxinming820@...il.com
Cc: linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org,
pinkperfect <pinkperfect2021@...il.com>
Subject: [PATCH] wifi: mwifiex: Security: Fix memcpy oobs in mwifiex_set_encode
In cfg80211 flow, when handling userspace netlink messages
if input cipher mode is WLAN_CIPHER_SUITE_SMS4
will make cfg80211_validate_key_settings not check key_len and seq_len
which will cause controllable memcpy overwrite
So needs to check them in mwifiex_set_encode.
Signed-off-by: pinkperfect <pinkperfect2021@...il.com>
---
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
index a2ad2b53f016..bddc11eac8a9 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
@@ -1099,6 +1099,11 @@ int mwifiex_set_encode(struct mwifiex_private *priv, struct key_params *kp,
{
struct mwifiex_ds_encrypt_key encrypt_key;
+ if (key_len > WLAN_MAX_KEY_LEN || (kp && kp->seq_len > PN_LEN)) {
+ mwifiex_dbg(priv->adapter, ERROR, "invalid parameters");
+ return -1;
+ }
+
memset(&encrypt_key, 0, sizeof(encrypt_key));
encrypt_key.key_len = key_len;
encrypt_key.key_index = key_index;
--
2.25.1
Powered by blists - more mailing lists