| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5B2DA6FDDF928F4E855344EE0A5C39D1D5C84368@RTITMBSVM04.realtek.com.tw>
Date: Thu, 17 Oct 2019 01:24:26 +0000
From: Pkshih <pkshih@...ltek.com>
To: Laura Abbott <labbott@...hat.com>,
Kalle Valo <kvalo@...eaurora.org>
CC: "David S. Miller" <davem@...emloft.net>,
"linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Nicolas Waisman <nico@...mle.com>
Subject: RE: [PATCH] rtlwifi: Fix potential overflow on P2P code
> -----Original Message-----
> From: linux-wireless-owner@...r.kernel.org [mailto:linux-wireless-owner@...r.kernel.org] On Behalf
> Of Laura Abbott
> Sent: Thursday, October 17, 2019 4:57 AM
> To: Pkshih; Kalle Valo
> Cc: Laura Abbott; David S. Miller; linux-wireless@...r.kernel.org; netdev@...r.kernel.org;
> linux-kernel@...r.kernel.org; Nicolas Waisman
> Subject: [PATCH] rtlwifi: Fix potential overflow on P2P code
>
> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bounds check noa_num against P2P_MAX_NOA_NUM.
>
> Reported-by: Nicolas Waisman <nico@...mle.com>
> Signed-off-by: Laura Abbott <labbott@...hat.com>
> ---
> Compile tested only as this was reported to the security list.
> ---
> drivers/net/wireless/realtek/rtlwifi/ps.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
> index 70f04c2f5b17..c5cff598383d 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
> @@ -754,6 +754,13 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
> return;
> } else {
> noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM) {
> + RT_TRACE(rtlpriv, COMP_INIT, DBG_LOUD,
> + "P2P notice of absence: invalid noa_num.%d\n",
> + noa_num);
> + return;
As the discussion at <security@...nel.org>, I think it'd be better to use
the min between noa_num and P2P_MAX_NOA_NUM, and fall through the code instead
of return. Because ignore all NoA isn't better than apply two of them.
> + }
> +
> }
> noa_index = ie[3];
> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> @@ -848,6 +855,13 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
> return;
> } else {
> noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM) {
> + RT_TRACE(rtlpriv, COMP_FW, DBG_LOUD,
> + "P2P notice of absence: invalid noa_len.%d\n",
> + noa_len);
> + return;
> +
> + }
> }
> noa_index = ie[3];
> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> --
> 2.21.0
Powered by blists - more mailing lists