mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-23 07:22:33 +00:00
bff16304b0
Fixes CVE-2017-0786 Signed-off-by: Felix Fietkau <nbd@nbd.name>
64 lines
2.4 KiB
Diff
64 lines
2.4 KiB
Diff
From: Arend Van Spriel <arend.vanspriel@broadcom.com>
|
|
Date: Tue, 12 Sep 2017 10:47:53 +0200
|
|
Subject: [PATCH] brcmfmac: add length check in brcmf_cfg80211_escan_handler()
|
|
|
|
Upon handling the firmware notification for scans the length was
|
|
checked properly and may result in corrupting kernel heap memory
|
|
due to buffer overruns. This fix addresses CVE-2017-0786.
|
|
|
|
Cc: stable@vger.kernel.org # v4.0.x
|
|
Cc: Kevin Cernekee <cernekee@chromium.org>
|
|
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
|
|
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
|
|
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
|
|
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
|
|
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
|
---
|
|
|
|
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
|
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
|
@@ -3088,6 +3088,7 @@ brcmf_cfg80211_escan_handler(struct brcm
|
|
struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
|
|
s32 status;
|
|
struct brcmf_escan_result_le *escan_result_le;
|
|
+ u32 escan_buflen;
|
|
struct brcmf_bss_info_le *bss_info_le;
|
|
struct brcmf_bss_info_le *bss = NULL;
|
|
u32 bi_length;
|
|
@@ -3104,11 +3105,23 @@ brcmf_cfg80211_escan_handler(struct brcm
|
|
|
|
if (status == BRCMF_E_STATUS_PARTIAL) {
|
|
brcmf_dbg(SCAN, "ESCAN Partial result\n");
|
|
+ if (e->datalen < sizeof(*escan_result_le)) {
|
|
+ brcmf_err("invalid event data length\n");
|
|
+ goto exit;
|
|
+ }
|
|
escan_result_le = (struct brcmf_escan_result_le *) data;
|
|
if (!escan_result_le) {
|
|
brcmf_err("Invalid escan result (NULL pointer)\n");
|
|
goto exit;
|
|
}
|
|
+ escan_buflen = le32_to_cpu(escan_result_le->buflen);
|
|
+ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
|
|
+ escan_buflen > e->datalen ||
|
|
+ escan_buflen < sizeof(*escan_result_le)) {
|
|
+ brcmf_err("Invalid escan buffer length: %d\n",
|
|
+ escan_buflen);
|
|
+ goto exit;
|
|
+ }
|
|
if (le16_to_cpu(escan_result_le->bss_count) != 1) {
|
|
brcmf_err("Invalid bss_count %d: ignoring\n",
|
|
escan_result_le->bss_count);
|
|
@@ -3125,9 +3138,8 @@ brcmf_cfg80211_escan_handler(struct brcm
|
|
}
|
|
|
|
bi_length = le32_to_cpu(bss_info_le->length);
|
|
- if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
|
|
- WL_ESCAN_RESULTS_FIXED_SIZE)) {
|
|
- brcmf_err("Invalid bss_info length %d: ignoring\n",
|
|
+ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
|
|
+ brcmf_err("Ignoring invalid bss_info length: %d\n",
|
|
bi_length);
|
|
goto exit;
|
|
}
|