Re: [PATCH] wl1251: Fix possible buffer overflow in wl1251_cmd_scan
From: Kalle Valo
Date: Sun Apr 18 2021 - 03:03:33 EST
Lee Gibson <leegib@xxxxxxxxx> writes:
> Function wl1251_cmd_scan calls memcpy without checking the length.
> A user could control that length and trigger a buffer overflow.
> Fix by checking the length is within the maximum allowed size.
>
> Signed-off-by: Lee Gibson <leegib@xxxxxxxxx>
Please fix the commit log, the user cannot control this length as
cfg80211 checks it before handling it to wl1251. Unless I'm missing
something.
> ---
> drivers/net/wireless/ti/wl1251/cmd.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c
> index 498c8db2eb48..e4d028a53d91 100644
> --- a/drivers/net/wireless/ti/wl1251/cmd.c
> +++ b/drivers/net/wireless/ti/wl1251/cmd.c
> @@ -455,8 +455,11 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len,
> }
>
> cmd->params.ssid_len = ssid_len;
If you are checking the length, you should also check ssid_len here.
> - if (ssid)
> - memcpy(cmd->params.ssid, ssid, ssid_len);
> + if (ssid) {
> + int len = min_t(int, ssid_len, IEEE80211_MAX_SSID_LEN);
> +
> + memcpy(cmd->params.ssid, ssid, len);
> + }
Please use clamp_val().
Also another (and IMHO better) way to cleanup this is to provide a
pointer to struct cfg80211_ssid, which makes it clear that the length
can be trusted and not length checking is not needed. So something like
this:
int wl1251_cmd_scan(struct wl1251 *wl, const struct cfg80211_ssid *ssid,
struct ieee80211_channel *channels[],
unsigned int n_channels, unsigned int n_probes)
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches