mwifiex: Fix possible buffer overflows at parsing bss descriptor [Linux 4.4.186]

This Linux kernel change "mwifiex: Fix possible buffer overflows at parsing bss descriptor" is included in the Linux 4.4.186 release. This change is authored by Takashi Iwai <tiwai [at] suse.de> on Wed May 29 14:52:19 2019 +0200. The commit for this change in Linux stable tree is 5d43b41 (patch) which is from upstream commit 13ec7f1. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 13ec7f1.

mwifiex: Fix possible buffer overflows at parsing bss descriptor

[ Upstream commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 ]

mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
a couple places without checking the destination size.  Since the
source is given from user-space, this may trigger a heap buffer
overflow.

Fix it by putting the length check before performing memcpy().

This fix addresses CVE-2019-3846.

Reported-by: huangwen <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>

There are 4 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/net/wireless/mwifiex/scan.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c
index fb98f42..6f78989 100644
--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -1219,6 +1219,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
        }
        switch (element_id) {
        case WLAN_EID_SSID:
+           if (element_len > IEEE80211_MAX_SSID_LEN)
+               return -EINVAL;
            bss_entry->ssid.ssid_len = element_len;
            memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
                   element_len);
@@ -1228,6 +1230,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
            break;

        case WLAN_EID_SUPP_RATES:
+           if (element_len > MWIFIEX_SUPPORTED_RATES)
+               return -EINVAL;
            memcpy(bss_entry->data_rates, current_ptr + 2,
                   element_len);
            memcpy(bss_entry->supported_rates, current_ptr + 2,

Leave a Reply

Your email address will not be published. Required fields are marked *