lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Dec 2020 11:36:05 +1100 From: Julian Calaby <julian.calaby@...il.com> To: Xiaohui Zhang <ruc_zhangxiaohui@....com> Cc: Amitkumar Karwar <amitkarwar@...il.com>, Ganapathi Bhat <ganapathi.bhat@....com>, Xinming Hu <huxinming820@...il.com>, Kalle Valo <kvalo@...eaurora.org>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, linux-wireless@...r.kernel.org, netdev@...r.kernel.org, LKML <linux-kernel@...r.kernel.org> Subject: Re: [PATCH 1/1] mwifiex: Fix possible buffer overflows in mwifiex_config_scan Hi Xiaohui, On Wed, Dec 9, 2020 at 12:07 AM Xiaohui Zhang <ruc_zhangxiaohui@....com> wrote: > > From: Zhang Xiaohui <ruc_zhangxiaohui@....com> > > mwifiex_config_scan() calls memcpy() without checking > the destination size may trigger a buffer overflower, > which a local user could use to cause denial of service > or the execution of arbitrary code. > Fix it by putting the length check before calling memcpy(). > > Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@....com> > --- > drivers/net/wireless/marvell/mwifiex/scan.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c > index c2a685f63..b1d90678f 100644 > --- a/drivers/net/wireless/marvell/mwifiex/scan.c > +++ b/drivers/net/wireless/marvell/mwifiex/scan.c > @@ -930,6 +930,8 @@ mwifiex_config_scan(struct mwifiex_private *priv, > "DIRECT-", 7)) > wildcard_ssid_tlv->max_ssid_length = 0xfe; > > + if (ssid_len > 1) > + ssid_len = 1; > memcpy(wildcard_ssid_tlv->ssid, > user_scan_in->ssid_list[i].ssid, ssid_len); Can ssid_len ever be 0 here? If it can't, should we just set ssid_len to 1 unconditionally? If it can, should we just skip the memcpy as it won't do anything? Thanks, -- Julian Calaby Email: julian.calaby@...il.com Profile: http://www.google.com/profiles/julian.calaby/
Powered by blists - more mailing lists