From patchwork Wed Aug 23 22:33:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Gustavo A. R. Silva" X-Patchwork-Id: 716866 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B16DC27C40 for ; Wed, 23 Aug 2023 22:33:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238671AbjHWWct (ORCPT ); Wed, 23 Aug 2023 18:32:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40774 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238679AbjHWWcX (ORCPT ); Wed, 23 Aug 2023 18:32:23 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BED0010F2; Wed, 23 Aug 2023 15:32:20 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4538A62E8E; Wed, 23 Aug 2023 22:32:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 86EEAC433C8; Wed, 23 Aug 2023 22:32:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1692829939; bh=/JEr4TiHL6f3C8pK8z0KSpApP+0BeWgNlnpN+Skgn7Q=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=of+NJVqTH37IuwzRB3hQZIxEBU6zwQHRnlCyo4vyD670RFKtLzpqWBdOnfwrrI1Jb BQejQs9AOsAwUnqd3cGDLhgouANeu61BqiJmS9E0PN893UZ+/pe/gGfRSN7kw8nIHO ce7DiCu6Jf0iy3EBBe93u6vdycW0xhnHhWTqawU8UO+4fUwTlUx2CahpI14KewSn7R U3UDb6nBBkkWio+YolLAj9ob8MaaCG9oOroDVHflJgA+uSrsBGy/WGC6ZYOxojvw4m 791gs3XOdI30sDc5bEYu7qvGOiRyoyP7g//LCzjnxuHxL4l5BXeYUlbDICQjLdr7Pn CpqYCP6KTra7Q== Date: Wed, 23 Aug 2023 16:33:19 -0600 From: "Gustavo A. R. Silva" To: Brian Norris , Kalle Valo , Amitkumar Karwar , Xinming Hu , Dan Williams Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" , linux-hardening@vger.kernel.org Subject: [PATCH 3/3] wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len Message-ID: <587423b0737108effe82aefed4407daca39e9a51.1692829410.git.gustavoars@kernel.org> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Add sanity checks for both `tlv_len` and `tlv_bitmap_len` before decoding data from `event_buf`. This prevents any malicious or buggy firmware from overflowing `event_buf` through large values for `tlv_len` or `tlv_bitmap_len`. Suggested-by: Dan Williams Signed-off-by: Gustavo A. R. Silva Reviewed-by: Justin Stitt --- .../net/wireless/marvell/mwifiex/11n_rxreorder.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c index 735aac52bdc4..9ee3b9f1e9ce 100644 --- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c +++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c @@ -921,6 +921,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv, while (tlv_buf_left > sizeof(*tlv_rxba)) { tlv_type = le16_to_cpu(tlv_rxba->header.type); tlv_len = le16_to_cpu(tlv_rxba->header.len); + if (size_add(sizeof(tlv_rxba->header), tlv_len) > tlv_buf_left) { + mwifiex_dbg(priv->adapter, WARN, + "TLV size (%ld) overflows event_buf (%d)\n", + size_add(sizeof(tlv_rxba->header), tlv_len), + tlv_buf_left); + return; + } + if (tlv_type != TLV_TYPE_RXBA_SYNC) { mwifiex_dbg(priv->adapter, ERROR, "Wrong TLV id=0x%x\n", tlv_type); @@ -929,6 +937,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv, tlv_seq_num = le16_to_cpu(tlv_rxba->seq_num); tlv_bitmap_len = le16_to_cpu(tlv_rxba->bitmap_len); + if (size_add(sizeof(*tlv_rxba), tlv_bitmap_len) > tlv_buf_left) { + mwifiex_dbg(priv->adapter, WARN, + "TLV size (%ld) overflows event_buf (%d)\n", + size_add(sizeof(*tlv_rxba), tlv_bitmap_len), + tlv_buf_left); + return; + } + mwifiex_dbg(priv->adapter, INFO, "%pM tid=%d seq_num=%d bitmap_len=%d\n", tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num,