[PATCH 3.16 128/129] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()

From: Ben Hutchings
Date: Sun Jul 07 2019 - 15:39:26 EST


3.16.70-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@xxxxxxx>

commit 69ae4f6aac1578575126319d3f55550e7e440449 upstream.

A few places in mwifiex_uap_parse_tail_ies() perform memcpy()
unconditionally, which may lead to either buffer overflow or read over
boundary.

This patch addresses the issues by checking the read size and the
destination size at each place more properly. Along with the fixes,
the patch cleans up the code slightly by introducing a temporary
variable for the token size, and unifies the error path with the
standard goto statement.

Reported-by: huangwen <huangwen@xxxxxxxxxxxxxxxx>
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
[bwh: Backported to 3.16:
- The tail IEs are parsed in mwifiex_set_mgmt_ies, which looks for two
specific IEs rather than looping
- Check IE length against tail length after calling
cfg80211_find_vendor_ie(), but not after cfg80211_find_ie() since that
already does it
- On error, return without calling mwifiex_set_mgmt_beacon_data_ies()
- Drop inapplicable change to WMM IE handling
- Adjust filename]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
drivers/net/wireless/mwifiex/ie.c | 47 +++++++++++++++--------
1 file changed, 31 insertions(+), 16 deletions(-)

--- a/drivers/net/wireless/mwifiex/ie.c
+++ b/drivers/net/wireless/mwifiex/ie.c
@@ -328,6 +328,8 @@ int mwifiex_set_mgmt_ies(struct mwifiex_
struct ieee_types_header *rsn_ie, *wpa_ie = NULL;
u16 rsn_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0;
const u8 *vendor_ie;
+ unsigned int token_len;
+ int err = 0;

if (info->tail && info->tail_len) {
gen_ie = kzalloc(sizeof(struct mwifiex_ie), GFP_KERNEL);
@@ -341,8 +343,13 @@ int mwifiex_set_mgmt_ies(struct mwifiex_
rsn_ie = (void *)cfg80211_find_ie(WLAN_EID_RSN,
info->tail, info->tail_len);
if (rsn_ie) {
- memcpy(gen_ie->ie_buffer, rsn_ie, rsn_ie->len + 2);
- ie_len = rsn_ie->len + 2;
+ token_len = rsn_ie->len + 2;
+ if (ie_len + token_len > IEEE_MAX_IE_SIZE) {
+ err = -EINVAL;
+ goto out;
+ }
+ memcpy(gen_ie->ie_buffer + ie_len, rsn_ie, token_len);
+ ie_len += token_len;
gen_ie->ie_length = cpu_to_le16(ie_len);
}

@@ -352,9 +359,15 @@ int mwifiex_set_mgmt_ies(struct mwifiex_
info->tail_len);
if (vendor_ie) {
wpa_ie = (struct ieee_types_header *)vendor_ie;
- memcpy(gen_ie->ie_buffer + ie_len,
- wpa_ie, wpa_ie->len + 2);
- ie_len += wpa_ie->len + 2;
+ token_len = wpa_ie->len + 2;
+ if (token_len >
+ info->tail + info->tail_len - (u8 *)wpa_ie ||
+ ie_len + token_len > IEEE_MAX_IE_SIZE) {
+ err = -EINVAL;
+ goto out;
+ }
+ memcpy(gen_ie->ie_buffer + ie_len, wpa_ie, token_len);
+ ie_len += token_len;
gen_ie->ie_length = cpu_to_le16(ie_len);
}

@@ -362,13 +375,16 @@ int mwifiex_set_mgmt_ies(struct mwifiex_
if (mwifiex_update_uap_custom_ie(priv, gen_ie, &rsn_idx,
NULL, NULL,
NULL, NULL)) {
- kfree(gen_ie);
- return -1;
+ err = -EINVAL;
+ goto out;
}
priv->rsn_idx = rsn_idx;
}

+ out:
kfree(gen_ie);
+ if (err)
+ return err;
}

return mwifiex_set_mgmt_beacon_data_ies(priv, info);