diff options
author | Wen Huang <huangwenabc@gmail.com> | 2019-08-28 10:07:51 +0800 |
---|---|---|
committer | Kalle Valo <kvalo@codeaurora.org> | 2019-09-03 16:50:21 +0300 |
commit | 7caac62ed598a196d6ddf8d9c121e12e082cac3a (patch) | |
tree | 926f8c0a3bb5c8cff8ee3a1d5d8a4a85e94e853b /drivers/net/wireless/marvell/mwifiex/ie.c | |
parent | 70702265a04aa0ce5a7bde77d13456209992b32f (diff) | |
download | linux-7caac62ed598a196d6ddf8d9c121e12e082cac3a.tar.bz2 |
mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and
mwifiex_set_wmm_params() call memcpy() without checking
the destination size.Since the source is given from
user-space, this may trigger a heap buffer overflow.
Fix them by putting the length check before performing memcpy().
This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816.
Signed-off-by: Wen Huang <huangwenabc@gmail.com>
Acked-by: Ganapathi Bhat <gbhat@marvell.comg>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Diffstat (limited to 'drivers/net/wireless/marvell/mwifiex/ie.c')
-rw-r--r-- | drivers/net/wireless/marvell/mwifiex/ie.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/net/wireless/marvell/mwifiex/ie.c b/drivers/net/wireless/marvell/mwifiex/ie.c index 653d347a9a19..580387f9f12a 100644 --- a/drivers/net/wireless/marvell/mwifiex/ie.c +++ b/drivers/net/wireless/marvell/mwifiex/ie.c @@ -241,6 +241,9 @@ static int mwifiex_update_vs_ie(const u8 *ies, int ies_len, } vs_ie = (struct ieee_types_header *)vendor_ie; + if (le16_to_cpu(ie->ie_length) + vs_ie->len + 2 > + IEEE_MAX_IE_SIZE) + return -EINVAL; memcpy(ie->ie_buffer + le16_to_cpu(ie->ie_length), vs_ie, vs_ie->len + 2); le16_unaligned_add_cpu(&ie->ie_length, vs_ie->len + 2); |