[PATCH] wifi: mwifiex: Security: Fix memcpy oobs in mwifiex_set_encode

From: pinkperfect
Date: Wed Jul 05 2023 - 22:08:45 EST

Next message: Jonathan Cameron: "Re: [PATCH 01/23] i2c: amd-mp2: Remove #ifdef guards for PM related functions"
Previous message: Chao Yu: "[PATCH v3] f2fs: fix to avoid mmap vs set_compress_option case"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In cfg80211 flow, when handling userspace netlink messages
if input cipher mode is WLAN_CIPHER_SUITE_SMS4
will make cfg80211_validate_key_settings not check key_len and seq_len
which will cause controllable memcpy overwrite
So needs to check them in mwifiex_set_encode.

Signed-off-by: pinkperfect <pinkperfect2021@xxxxxxxxx>
---
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
index a2ad2b53f016..bddc11eac8a9 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
@@ -1099,6 +1099,11 @@ int mwifiex_set_encode(struct mwifiex_private *priv, struct key_params *kp,
{
struct mwifiex_ds_encrypt_key encrypt_key;

+ if (key_len > WLAN_MAX_KEY_LEN || (kp && kp->seq_len > PN_LEN)) {
+ mwifiex_dbg(priv->adapter, ERROR, "invalid parameters");
+ return -1;
+ }
+
memset(&encrypt_key, 0, sizeof(encrypt_key));
encrypt_key.key_len = key_len;
encrypt_key.key_index = key_index;
--
2.25.1

Next message: Jonathan Cameron: "Re: [PATCH 01/23] i2c: amd-mp2: Remove #ifdef guards for PM related functions"
Previous message: Chao Yu: "[PATCH v3] f2fs: fix to avoid mmap vs set_compress_option case"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]