| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230712175102.59d2bda9@kernel.org>
Date: Wed, 12 Jul 2023 17:51:02 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: pinkperfect <pinkperfect2021@...il.com>
Cc: amitkarwar@...il.com, kvalo@...nel.org,
linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] wifi: mwifiex: Fix integer underflow in
mwifiex_process_mgmt_packet
On Wed, 5 Jul 2023 04:43:50 +0000 pinkperfect wrote:
> In outside functions have checked upper limit of rx_pkt_length,
> in mwifiex_process_mgmt_packet should make sure rx_pkt_length not underflow
> to avoid OOB access.
Please add a Fixes tag.
> Signed-off-by: pinkperfect <pinkperfect2021@...il.com>
We need something close to your legal name, or basically know who you
are. Because of developer certificate of origin. We're working on real
code under real copyright law..
> diff --git a/drivers/net/wireless/marvell/mwifiex/util.c b/drivers/net/wireless/marvell/mwifiex/util.c
> index 94c2d219835d..4291252e06ea 100644
> --- a/drivers/net/wireless/marvell/mwifiex/util.c
> +++ b/drivers/net/wireless/marvell/mwifiex/util.c
> @@ -399,6 +399,11 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv,
>
> pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
>
> + if (pkt_len < sizeof(struct ieee80211_hdr)) {
The callers also look at the header and the MAC addresses in it.
I think we need to pull this check earlier.
> + mwifiex_dbg(priv->adapter, ERROR, "invalid rx_pkt_length");
> + return -1;
Powered by blists - more mailing lists