| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230708070749.2382045-1-pinkperfect2021@gmail.com>
Date: Sat, 8 Jul 2023 07:07:49 +0000
From: pinkperfect <pinkperfect2021@...il.com>
To: amitkarwar@...il.com, kvalo@...nel.org, ganapathi017@...il.com,
sharvari.harisangam@....com, huxinming820@...il.com
Cc: linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org,
pinkperfect <pinkperfect2021@...il.com>
Subject: [PATCH v2] wifi: mwifiex: Fix OOB and integer underflow in mwifiex_process_mgmt_packet
In outside functions have checked upper limit of rx_pkt_length,
in mwifiex_process_mgmt_packet should make sure rx_pkt_length not underflow
and make sure skb->len big enough to avoid OOB access.
Signed-off-by: pinkperfect <pinkperfect2021@...il.com>
---
drivers/net/wireless/marvell/mwifiex/util.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/util.c b/drivers/net/wireless/marvell/mwifiex/util.c
index 94c2d219835d..31e1a82883e4 100644
--- a/drivers/net/wireless/marvell/mwifiex/util.c
+++ b/drivers/net/wireless/marvell/mwifiex/util.c
@@ -399,6 +399,11 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv,
pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
+ if (pkt_len < sizeof(struct ieee80211_hdr) || skb->len < pkt_len) {
+ mwifiex_dbg(priv->adapter, ERROR, "invalid rx_pkt_length");
+ return -1;
+ }
+
ieee_hdr = (void *)skb->data;
if (ieee80211_is_mgmt(ieee_hdr->frame_control)) {
if (mwifiex_parse_mgmt_packet(priv, (u8 *)ieee_hdr,
--
2.25.1
Powered by blists - more mailing lists