lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 20 Oct 2019 09:18:26 +0300
From:   Kalle Valo <kvalo@...eaurora.org>
To:     Laura Abbott <labbott@...hat.com>
Cc:     Ping-Ke Shih <pkshih@...ltek.com>,
        "David S . Miller" <davem@...emloft.net>,
        linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, Nicolas Waisman <nico@...mle.com>
Subject: Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

Laura Abbott <labbott@...hat.com> writes:

> On 10/19/19 6:51 AM, Kalle Valo wrote:
>> Laura Abbott <labbott@...hat.com> writes:
>>
>>> Nicolas Waisman noticed that even though noa_len is checked for
>>> a compatible length it's still possible to overrun the buffers
>>> of p2pinfo since there's no check on the upper bound of noa_num.
>>> Bound noa_num against P2P_MAX_NOA_NUM.
>>>
>>> Reported-by: Nicolas Waisman <nico@...mle.com>
>>> Signed-off-by: Laura Abbott <labbott@...hat.com>
>>> ---
>>> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
>>> ---
>>>   drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
>>>   1 file changed, 6 insertions(+)
>>>
>>> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> index 70f04c2f5b17..fff8dda14023 100644
>>> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
>>>   				return;
>>>   			} else {
>>>   				noa_num = (noa_len - 2) / 13;
>>> +				if (noa_num > P2P_MAX_NOA_NUM)
>>> +					noa_num = P2P_MAX_NOA_NUM;
>>> +
>>>   			}
>>>   			noa_index = ie[3];
>>>   			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
>>> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
>>>   				return;
>>>   			} else {
>>>   				noa_num = (noa_len - 2) / 13;
>>> +				if (noa_num > P2P_MAX_NOA_NUM)
>>> +					noa_num = P2P_MAX_NOA_NUM;
>>
>> IMHO using min() would be cleaner, but I'm fine with this as well. Up to
>> you.
>>
>
> I believe the intention is to re-write this anyway so I'd prefer to
> just get this in given the uptick this issue seems to have gotten.

Ok, I'll queue this to v5.4.

-- 
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ