Re: [PATCH] wifi: mwifiex: Fix integer underflow in mwifiex_process_mgmt_packet

[Jakub Kicinski]

On Wed,  5 Jul 2023 04:43:50 +0000 pinkperfect wrote:
> In outside functions have checked upper limit of rx_pkt_length,
> in mwifiex_process_mgmt_packet should make sure rx_pkt_length not underflow
> to avoid OOB access.

Please add a Fixes tag.

> Signed-off-by: pinkperfect <pinkperfect2021@xxxxxxxxx>

We need something close to your legal name, or basically know who you
are. Because of developer certificate of origin. We're working on real
code under real copyright law..

> diff --git a/drivers/net/wireless/marvell/mwifiex/util.c b/drivers/net/wireless/marvell/mwifiex/util.c
> index 94c2d219835d..4291252e06ea 100644
> --- a/drivers/net/wireless/marvell/mwifiex/util.c
> +++ b/drivers/net/wireless/marvell/mwifiex/util.c
> @@ -399,6 +399,11 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv,
>  
>  	pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
>  
> +	if (pkt_len < sizeof(struct ieee80211_hdr)) {

The callers also look at the header and the MAC addresses in it.
I think we need to pull this check earlier.

> +		mwifiex_dbg(priv->adapter, ERROR, "invalid rx_pkt_length");
> +		return -1;