[PATCH 3.10 246/319] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()

From: Willy Tarreau
Date: Sun Feb 05 2017 - 14:31:45 EST

Next message: Willy Tarreau: "[PATCH 3.10 309/319] dm flakey: fix reads to be issued if drop_writes configured"
Previous message: Willy Tarreau: "[PATCH 3.10 275/319] ipc: remove use of seq_printf return value"
In reply to: Willy Tarreau: "Re: [PATCH 3.10 275/319] ipc: remove use of seq_printf return value"
Next in thread: Willy Tarreau: "[PATCH 3.10 309/319] dm flakey: fix reads to be issued if drop_writes configured"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx>

commit ded89912156b1a47d940a0c954c43afbabd0c42c upstream.

User-space can choose to omit NL80211_ATTR_SSID and only provide raw
IE TLV data. When doing so it can provide SSID IE with length exceeding
the allowed size. The driver further processes this IE copying it
into a local variable without checking the length. Hence stack can be
corrupted and used as exploit.

Reported-by: Daxing Guo <freener.gdx@xxxxxxxxx>
Reviewed-by: Hante Meuleman <hante.meuleman@xxxxxxxxxxxx>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@xxxxxxxxxxxx>
Reviewed-by: Franky Lin <franky.lin@xxxxxxxxxxxx>
Signed-off-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx>
Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
Signed-off-by: Willy Tarreau <w@xxxxxx>
---
drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
index 301e572..2c52430 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
@@ -3726,7 +3726,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
(u8 *)&settings->beacon.head[ie_offset],
settings->beacon.head_len - ie_offset,
WLAN_EID_SSID);
- if (!ssid_ie)
+ if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
return -EINVAL;

memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);
--
2.8.0.rc2.1.gbe9624a

Next message: Willy Tarreau: "[PATCH 3.10 309/319] dm flakey: fix reads to be issued if drop_writes configured"
Previous message: Willy Tarreau: "[PATCH 3.10 275/319] ipc: remove use of seq_printf return value"
In reply to: Willy Tarreau: "Re: [PATCH 3.10 275/319] ipc: remove use of seq_printf return value"
Next in thread: Willy Tarreau: "[PATCH 3.10 309/319] dm flakey: fix reads to be issued if drop_writes configured"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]