Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code
Laura Abbott wrote: > Nicolas Waisman noticed that even though noa_len is checked for > a compatible length it's still possible to overrun the buffers > of p2pinfo since there's no check on the upper bound of noa_num. > Bound noa_num against P2P_MAX_NOA_NUM. > > Reported-by: Nicolas Waisman > Signed-off-by: Laura Abbott > Acked-by: Ping-Ke Shih Patch applied to wireless-drivers.git, thanks. 8c55dedb795b rtlwifi: Fix potential overflow on P2P code -- https://patchwork.kernel.org/patch/11198315/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code
Laura Abbott writes:
> On 10/19/19 6:51 AM, Kalle Valo wrote:
>> Laura Abbott writes:
>>
>>> Nicolas Waisman noticed that even though noa_len is checked for
>>> a compatible length it's still possible to overrun the buffers
>>> of p2pinfo since there's no check on the upper bound of noa_num.
>>> Bound noa_num against P2P_MAX_NOA_NUM.
>>>
>>> Reported-by: Nicolas Waisman
>>> Signed-off-by: Laura Abbott
>>> ---
>>> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
>>> ---
>>> drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++
>>> 1 file changed, 6 insertions(+)
>>>
>>> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> b/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> index 70f04c2f5b17..fff8dda14023 100644
>>> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw,
>>> void *data,
>>> return;
>>> } else {
>>> noa_num = (noa_len - 2) / 13;
>>> + if (noa_num > P2P_MAX_NOA_NUM)
>>> + noa_num = P2P_MAX_NOA_NUM;
>>> +
>>> }
>>> noa_index = ie[3];
>>> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
>>> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw,
>>> void *data,
>>> return;
>>> } else {
>>> noa_num = (noa_len - 2) / 13;
>>> + if (noa_num > P2P_MAX_NOA_NUM)
>>> + noa_num = P2P_MAX_NOA_NUM;
>>
>> IMHO using min() would be cleaner, but I'm fine with this as well. Up to
>> you.
>>
>
> I believe the intention is to re-write this anyway so I'd prefer to
> just get this in given the uptick this issue seems to have gotten.
Ok, I'll queue this to v5.4.
--
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code
On 10/19/19 6:51 AM, Kalle Valo wrote:
Laura Abbott writes:
Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bound noa_num against P2P_MAX_NOA_NUM.
Reported-by: Nicolas Waisman
Signed-off-by: Laura Abbott
---
v2: Use P2P_MAX_NOA_NUM instead of erroring out.
---
drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c
b/drivers/net/wireless/realtek/rtlwifi/ps.c
index 70f04c2f5b17..fff8dda14023 100644
--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
+++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
@@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void
*data,
return;
} else {
noa_num = (noa_len - 2) / 13;
+ if (noa_num > P2P_MAX_NOA_NUM)
+ noa_num = P2P_MAX_NOA_NUM;
+
}
noa_index = ie[3];
if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
@@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void
*data,
return;
} else {
noa_num = (noa_len - 2) / 13;
+ if (noa_num > P2P_MAX_NOA_NUM)
+ noa_num = P2P_MAX_NOA_NUM;
IMHO using min() would be cleaner, but I'm fine with this as well. Up to
you.
I believe the intention is to re-write this anyway so I'd prefer to
just get this in given the uptick this issue seems to have gotten.
Thanks,
Laura
Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code
Pkshih writes: > On Fri, 2019-10-18 at 07:43 -0400, Laura Abbott wrote: >> Nicolas Waisman noticed that even though noa_len is checked for >> a compatible length it's still possible to overrun the buffers >> of p2pinfo since there's no check on the upper bound of noa_num. >> Bound noa_num against P2P_MAX_NOA_NUM. >> >> Reported-by: Nicolas Waisman >> Signed-off-by: Laura Abbott > > Acked-by: Ping-Ke Shih > and Please CC to stable > Cc: Stable # 4.4+ > > --- > > Hi Kalle, > > This bug was existing since v3.10, and directory of wireless drivers were > moved at v4.4. Do I need send another patch to fix this issue for longterm > kernel v3.16.75? Yeah, I think you need to send a separate patch to the stable list (after this commit is in Linus' tree). -- https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code
Laura Abbott writes:
> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
>
> Reported-by: Nicolas Waisman
> Signed-off-by: Laura Abbott
> ---
> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
> ---
> drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c
> b/drivers/net/wireless/realtek/rtlwifi/ps.c
> index 70f04c2f5b17..fff8dda14023 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void
> *data,
> return;
> } else {
> noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
> +
> }
> noa_index = ie[3];
> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw,
> void *data,
> return;
> } else {
> noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
IMHO using min() would be cleaner, but I'm fine with this as well. Up to
you.
--
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code
On Fri, 2019-10-18 at 07:43 -0400, Laura Abbott wrote:
> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
>
> Reported-by: Nicolas Waisman
> Signed-off-by: Laura Abbott
Acked-by: Ping-Ke Shih
and Please CC to stable
Cc: Stable # 4.4+
---
Hi Kalle,
This bug was existing since v3.10, and directory of wireless drivers were
moved at v4.4. Do I need send another patch to fix this issue for longterm
kernel v3.16.75?
Thanks
PK
> ---
> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
> ---
> drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c
> b/drivers/net/wireless/realtek/rtlwifi/ps.c
> index 70f04c2f5b17..fff8dda14023 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void
> *data,
> return;
> } else {
> noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
> +
> }
> noa_index = ie[3];
> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw,
> void *data,
> return;
> } else {
> noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
> +
> }
> noa_index = ie[3];
> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
