diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2018-06-05 14:31:39 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-10-03 17:01:46 -0700 |
| commit | f204945c20f9fdd34a982f2cb58f45c91c0adf50 (patch) | |
| tree | 1fad9c4fd674b0556cec1625b4ee313fee71737b /drivers | |
| parent | 7b4a09d167ebed0a6e10695cdfd7e0410057008a (diff) | |
rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
[ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ]
This is a static checker fix, not something I have tested. The issue
is that on the second iteration through the loop, we jump forward by
le32_to_cpu(auth_req->length) bytes. The problem is that if the length
is more than "buflen" then we end up with a negative "buflen". A
negative buflen is type promoted to a high positive value and the loop
continues but it's accessing beyond the end of the buffer.
I believe the "auth_req->length" comes from the firmware and if the
firmware is malicious or buggy, you're already toasted so the impact of
this bug is probably not very severe.
Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/net/wireless/rndis_wlan.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c index 15b2350d9f45..c9f8847dc123 100644 --- a/drivers/net/wireless/rndis_wlan.c +++ b/drivers/net/wireless/rndis_wlan.c @@ -2921,6 +2921,8 @@ static void rndis_wlan_auth_indication(struct usbnet *usbdev, while (buflen >= sizeof(*auth_req)) { auth_req = (void *)buf; + if (buflen < le32_to_cpu(auth_req->length)) + return; type = "unknown"; flags = le32_to_cpu(auth_req->flags); pairwise_error = false; |