Re: [PATCH AUTOSEL 4.19 14/60] mwifiex: Abort at too short BSS descriptor element

From: Sasha Levin
Date: Wed Jul 10 2019 - 10:51:16 EST

Next message: Janusz Krzysztofik: "[RFC PATCH] drm/i915: Drop extern qualifiers from header function prototypes"
Previous message: syzbot: "KMSAN: uninit-value in smsc95xx_read_eeprom (2)"
Next in thread: Brian Norris: "Re: [PATCH AUTOSEL 4.19 14/60] mwifiex: Abort at too short BSS descriptor element"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jun 28, 2019 at 03:58:49PM -0700, Brian Norris wrote:

On Wed, Jun 26, 2019 at 5:49 PM Sasha Levin <sashal@xxxxxxxxxx> wrote:

From: Takashi Iwai <tiwai@xxxxxxx>

[ Upstream commit 685c9b7750bfacd6fc1db50d86579980593b7869 ]

Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that
the source descriptor entries contain the enough size for each type
and performs copying without checking the source size. This may lead
to read over boundary.

Fix this by putting the source size check in appropriate places.

Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

For the record, this fixup is still aiming for 5.2, correcting some
potential mistakes in this patch:

63d7ef36103d mwifiex: Don't abort on small, spec-compliant vendor IEs

So you might want to hold off a bit, and grab them both.

I see that 63d7ef36103d didn't make it into 5.2, so I'll just drop this
for now.

--
Thanks,
Sasha

Next message: Janusz Krzysztofik: "[RFC PATCH] drm/i915: Drop extern qualifiers from header function prototypes"
Previous message: syzbot: "KMSAN: uninit-value in smsc95xx_read_eeprom (2)"
Next in thread: Brian Norris: "Re: [PATCH AUTOSEL 4.19 14/60] mwifiex: Abort at too short BSS descriptor element"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]