Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code
From: Pkshih
Date: Fri Oct 18 2019 - 08:36:04 EST
On Fri, 2019-10-18 at 07:43 -0400, Laura Abbott wrote:
> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
>
> Reported-by: Nicolas Waisman <nico@xxxxxxxxxx>
> Signed-off-by: Laura Abbott <labbott@xxxxxxxxxx>
Acked-by: Ping-Ke Shih <pkshih@xxxxxxxxxxx>
and Please CC to stable
Cc: Stable <stable@xxxxxxxxxxxxxxx> # 4.4+
---
Hi Kalle,
This bug was existing since v3.10, and directory of wireless drivers were
moved at v4.4. Do I need send another patch to fix this issue for longterm
kernel v3.16.75?
Thanks
PK
> ---
> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
> ---
> Âdrivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++++
> Â1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c
> b/drivers/net/wireless/realtek/rtlwifi/ps.c
> index 70f04c2f5b17..fff8dda14023 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void
> *data,
> Â return;
> Â } else {
> Â noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
> +
> Â }
> Â noa_index = ie[3];
> Â if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw,
> void *data,
> Â return;
> Â } else {
> Â noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
> +
> Â }
> Â noa_index = ie[3];
> Â if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==