lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <8aacfa081d3f4bc3a3ea8359e610fa3e@AcuMS.aculab.com>
Date:   Mon, 17 Jul 2023 13:41:58 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Polaris Pi' <pinkperfect2021@...il.com>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "amitkarwar@...il.com" <amitkarwar@...il.com>,
        "kvalo@...nel.org" <kvalo@...nel.org>,
        "ganapathi017@...il.com" <ganapathi017@...il.com>,
        "sharvari.harisangam@....com" <sharvari.harisangam@....com>,
        "huxinming820@...il.com" <huxinming820@...il.com>
CC:     "linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH v5] wifi: mwifiex: Fix OOB and integer underflow when rx
 packets

From: Polaris Pi
> Sent: 14 July 2023 13:02
> 
> Make sure mwifiex_process_mgmt_packet and its callers
> mwifiex_process_sta_rx_packet and mwifiex_process_uap_rx_packet
> not out-of-bounds access the skb->data buffer.
> 
...
> diff --git a/drivers/net/wireless/marvell/mwifiex/sta_rx.c
> b/drivers/net/wireless/marvell/mwifiex/sta_rx.c
> index 13659b02ba88..88aaec645291 100644
> --- a/drivers/net/wireless/marvell/mwifiex/sta_rx.c
> +++ b/drivers/net/wireless/marvell/mwifiex/sta_rx.c
> @@ -194,7 +194,8 @@ int mwifiex_process_sta_rx_packet(struct mwifiex_private *priv,
> 
>  	rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_offset;
> 
> -	if ((rx_pkt_offset + rx_pkt_length) > (u16) skb->len) {
> +	if ((rx_pkt_offset + rx_pkt_length) > (u16)skb->len ||
> +	    skb->len - rx_pkt_offset < sizeof(*rx_pkt_hdr)) {

What is the (u16) cast for?
The domain of both tx_pkt_offset and rx_pkt_length is 16bits.
Their sum is of type 'int', masking skb->len to 16 bits just
discards high bits (which are probably zero).

The second test should probably be:
	rx_pkt_offset + sizeof(*rx_pkt_hdr) > skb->len
although the first test includes the 'offset > len' check.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ