| Message ID | 20191018071303.32156-2-tyhicks@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | CVE-2019-17666: rtlwifi buffer overflow | expand |
On 18.10.19 09:13, Tyler Hicks wrote: > Nicolas Waisman noticed that even though noa_len is checked for > a compatible length it's still possible to overrun the buffers > of p2pinfo since there's no check on the upper bound of noa_num. > Bounds check noa_num against P2P_MAX_NOA_NUM using the minimum of the > two. > > CVE-2019-17666 > > Reported-by: Nicolas Waisman <nico@semmle.com> > Suggested-by: Ping-Ke Shih <pkshih@realtek.com> > [tyhicks: Reuse nearly all of a commit message written by Laura Abbott] > Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c > index 70f04c2f5b17..3b79c25bc376 100644 > --- a/drivers/net/wireless/realtek/rtlwifi/ps.c > +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c > @@ -753,7 +753,8 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data, > noa_len); > return; > } else { > - noa_num = (noa_len - 2) / 13; > + noa_num = min((noa_len - 2) / 13, > + P2P_MAX_NOA_NUM); > } > noa_index = ie[3]; > if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode == > @@ -847,7 +848,8 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data, > noa_len); > return; > } else { > - noa_num = (noa_len - 2) / 13; > + noa_num = min((noa_len - 2) / 13, > + P2P_MAX_NOA_NUM); > } > noa_index = ie[3]; > if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode == >
diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c index 70f04c2f5b17..3b79c25bc376 100644 --- a/drivers/net/wireless/realtek/rtlwifi/ps.c +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c @@ -753,7 +753,8 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data, noa_len); return; } else { - noa_num = (noa_len - 2) / 13; + noa_num = min((noa_len - 2) / 13, + P2P_MAX_NOA_NUM); } noa_index = ie[3]; if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode == @@ -847,7 +848,8 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data, noa_len); return; } else { - noa_num = (noa_len - 2) / 13; + noa_num = min((noa_len - 2) / 13, + P2P_MAX_NOA_NUM); } noa_index = ie[3]; if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
Nicolas Waisman noticed that even though noa_len is checked for a compatible length it's still possible to overrun the buffers of p2pinfo since there's no check on the upper bound of noa_num. Bounds check noa_num against P2P_MAX_NOA_NUM using the minimum of the two. CVE-2019-17666 Reported-by: Nicolas Waisman <nico@semmle.com> Suggested-by: Ping-Ke Shih <pkshih@realtek.com> [tyhicks: Reuse nearly all of a commit message written by Laura Abbott] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> --- drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)