Re: [PATCH] wifi: mwifiex: Fix integer underflow in mwifiex_process_mgmt_packet
From: Jakub Kicinski
Date: Wed Jul 12 2023 - 20:51:14 EST
On Wed, 5 Jul 2023 04:43:50 +0000 pinkperfect wrote:
> In outside functions have checked upper limit of rx_pkt_length,
> in mwifiex_process_mgmt_packet should make sure rx_pkt_length not underflow
> to avoid OOB access.
Please add a Fixes tag.
> Signed-off-by: pinkperfect <pinkperfect2021@xxxxxxxxx>
We need something close to your legal name, or basically know who you
are. Because of developer certificate of origin. We're working on real
code under real copyright law..
> diff --git a/drivers/net/wireless/marvell/mwifiex/util.c b/drivers/net/wireless/marvell/mwifiex/util.c
> index 94c2d219835d..4291252e06ea 100644
> --- a/drivers/net/wireless/marvell/mwifiex/util.c
> +++ b/drivers/net/wireless/marvell/mwifiex/util.c
> @@ -399,6 +399,11 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv,
>
> pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
>
> + if (pkt_len < sizeof(struct ieee80211_hdr)) {
The callers also look at the header and the MAC addresses in it.
I think we need to pull this check earlier.
> + mwifiex_dbg(priv->adapter, ERROR, "invalid rx_pkt_length");
> + return -1;