On Thu, Jun 13, 2019 at 08:12:39PM +0200, Takashi Iwai wrote:
> On Thu, 13 Jun 2019 19:49:40 +0200,
> Brian Norris wrote:
> > On Wed, May 29, 2019 at 02:52:20PM +0200, Takashi Iwai wrote:
> > > --- a/drivers/net/wireless/marvell/mwifiex/scan.c
> > > +++ b/drivers/net/wireless/marvell/mwifiex/scan.c
> > > @@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct
> > > mwifiex_adapter *adapter,
> > > break;
> > >
> > > case WLAN_EID_FH_PARAMS:
> > > + if (element_len + 2 < sizeof(*fh_param_set))
> >
> > "element_len + 2" would be much more readable as "total_ie_len". (Same for
> > several other usages in this patch.) I can send such a patch myself as a
> > follow-up I suppose.
>
> Yes, please.
I'll wait until we straighten out the other (potentially) real bug.
Don't want to make needless conflicts.
> > > + return -EINVAL;
> > > fh_param_set =
> > > (struct ieee_types_fh_param_set *) current_ptr;
> > > memcpy(&bss_entry->phy_param_set.fh_param_set,
> >
> > [...]
> >
> > > @@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct
> > > mwifiex_adapter *adapter,
> > > break;
> > >
> > > case WLAN_EID_VENDOR_SPECIFIC:
> > > + if (element_len + 2 < sizeof(vendor_ie->vend_hdr))
> >
> > Why 'sizeof(vendor_ie->vend_hdr)'? The (mwifiex-specific compare with the
> > ieee80211.h generic struct ieee80211_vendor_ie) ieee_types_vendor_header
> > struct
> > includes the 'oui_subtype' and 'version' fields, which are not standard
> > requirements for the vendor header (in fact, even the 4th byte of the
> > OUI -- "oui_type" -- doesn't appear to be in the 802.11 specification).
> > So it looks to me like you might be rejecting valid vendor headers (that
> > we should just be skipping) that might have vendor-specific content with
> > length 0 or 1 bytes.
> >
> > It seems like we should only be validating the standard pieces (e.g., up to
> > the
> > length/OUI), and only after an appropriate OUI match, *then* validating the
> > rest of
> > the vendor element (the pieces we'll use later).
>
> Hm, right, that looks too strict. Instead we need to check right
> before both memcmp()'s of OUI.
I think this is the right place for one check (the memcmp() is right
after this line anyway) -- the minimum length just should be smaller.
e.g.:
sizeof(struct ieee80211_vendor_ie) // this is still technically 1 byte too
large I think
or
offsetof(struct ieee80211_vendor_ie, oui_type) // not sure if this is the
cleanest...
If it's smaller than that, we can still say -EINVAL.
Then, we can go with:
if (element_len < sizeof(wpa_oui)
continue;
or similar.
So, I might say:
/* Vendor IEs must at least contain the OUI. */
if (total_ie_len < offsetof(struct ieee80211_vendor_ie, oui_type))
return -EINVAL;
/* If the IE still isn't long enough, it's not a match. */
if (element_len < sizeof(wpa_oui))
continue;
Brian
