diff mbox series

mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start

Message ID 20210302174311.4726-2-tim.gardner@canonical.com
State New
Headers show
Series mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start | expand

Commit Message

Tim Gardner March 2, 2021, 5:43 p.m. UTC 
From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>

CVE-CVE-2020-36158

mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().

Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com
(cherry picked from commit 5c455c5ab332773464d02ba17015acdca198f03d)
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 drivers/net/wireless/marvell/mwifiex/join.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Tim Gardner March 2, 2021, 5:49 p.m. UTC | #1 
The CVE string is garbled. Will resubmit.

On 3/2/21 10:43 AM, Tim Gardner wrote:
> From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
> 
> CVE-CVE-2020-36158
> 
> mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking
> the destination size may trigger a buffer overflower,
> which a local user could use to cause denial of service
> or the execution of arbitrary code.
> Fix it by putting the length check before calling memcpy().
> 
> Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
> Link: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com
> (cherry picked from commit 5c455c5ab332773464d02ba17015acdca198f03d)
> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
> ---
>   drivers/net/wireless/marvell/mwifiex/join.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/net/wireless/marvell/mwifiex/join.c b/drivers/net/wireless/marvell/mwifiex/join.c
> index d87aeff70cef..c2cb1e711c06 100644
> --- a/drivers/net/wireless/marvell/mwifiex/join.c
> +++ b/drivers/net/wireless/marvell/mwifiex/join.c
> @@ -877,6 +877,8 @@ mwifiex_cmd_802_11_ad_hoc_start(struct mwifiex_private *priv,
>   
>   	memset(adhoc_start->ssid, 0, IEEE80211_MAX_SSID_LEN);
>   
> +	if (req_ssid->ssid_len > IEEE80211_MAX_SSID_LEN)
> +		req_ssid->ssid_len = IEEE80211_MAX_SSID_LEN;
>   	memcpy(adhoc_start->ssid, req_ssid->ssid, req_ssid->ssid_len);
>   
>   	mwifiex_dbg(adapter, INFO, "info: ADHOC_S_CMD: SSID = %s\n",
>
diff mbox series

Patch

diff --git a/drivers/net/wireless/marvell/mwifiex/join.c b/drivers/net/wireless/marvell/mwifiex/join.c
index d87aeff70cef..c2cb1e711c06 100644
--- a/drivers/net/wireless/marvell/mwifiex/join.c
+++ b/drivers/net/wireless/marvell/mwifiex/join.c
@@ -877,6 +877,8 @@  mwifiex_cmd_802_11_ad_hoc_start(struct mwifiex_private *priv,
 
 	memset(adhoc_start->ssid, 0, IEEE80211_MAX_SSID_LEN);
 
+	if (req_ssid->ssid_len > IEEE80211_MAX_SSID_LEN)
+		req_ssid->ssid_len = IEEE80211_MAX_SSID_LEN;
 	memcpy(adhoc_start->ssid, req_ssid->ssid, req_ssid->ssid_len);
 
 	mwifiex_dbg(adapter, INFO, "info: ADHOC_S_CMD: SSID = %s\n",