wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST attribute

stable inclusion from stable-v5.10.157 commit 5a068535c0073c8402aa0755e8ef259fb98a33c5 category: bugfix bugzilla: 188173 https://gitee.com/src-openeuler/kernel/issues/I66M3J CVE: CVE-2022-47521 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5a068535c0073c8402aa0755e8ef259fb98a33c5 -------------------------------- commit f9b62f98 upstream. Validate that the IEEE80211_P2P_ATTR_CHANNEL_LIST attribute contains enough space for a 'struct wilc_attr_oper_ch'. If the attribute is too small then it can trigger an out-of-bounds write later in the function. 'struct wilc_attr_oper_ch' is variable sized so also check 'attr_len' does not extend beyond the end of 'buf'. Signed-off-by: N Phil Turnbull <philipturnbull@github.com> Tested-by: N Ajay Kathat <ajay.kathat@microchip.com> Acked-by: N Ajay Kathat <ajay.kathat@microchip.com> Signed-off-by: N Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20221123153543.8568-4-philipturnbull@github.comSigned-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Liu Jian <liujian56@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com>

wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST attribute
stable inclusion from stable-v5.10.157 commit 5a068535c0073c8402aa0755e8ef259fb98a33c5 category: bugfix bugzilla: 188173 https://gitee.com/src-openeuler/kernel/issues/I66M3J CVE: CVE-2022-47521 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5a068535c0073c8402aa0755e8ef259fb98a33c5 -------------------------------- commit f9b62f98 upstream. Validate that the IEEE80211_P2P_ATTR_CHANNEL_LIST attribute contains enough space for a 'struct wilc_attr_oper_ch'. If the attribute is too small then it can trigger an out-of-bounds write later in the function. 'struct wilc_attr_oper_ch' is variable sized so also check 'attr_len' does not extend beyond the end of 'buf'. Signed-off-by: N Phil Turnbull <philipturnbull@github.com> Tested-by: N Ajay Kathat <ajay.kathat@microchip.com> Acked-by: N Ajay Kathat <ajay.kathat@microchip.com> Signed-off-by: N Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20221123153543.8568-4-philipturnbull@github.comSigned-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Liu Jian <liujian56@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com>
788f0268 · Phil Turnbull · Zheng Zengkai · 1d0e6131 · 788f0268
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

drivers/net/wireless/microchip/wilc1000/cfg80211.c drivers/net/wireless/microchip/wilc1000/cfg80211.c +2 -1

未找到文件。
--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c
+++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c
@@ -947,7 +947,8 @@ static inline void wilc_wfi_cfg_parse_ch_attr(u8 *buf, u32 len, u8 sta_ch)
 		if (index + sizeof(*e) + attr_size > len)
 			return;

-		if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST)
+		if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST &&
+		    attr_size >= (sizeof(struct wilc_attr_ch_list) - sizeof(*e)))
 			ch_list_idx = index;
 		else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL &&
 			 attr_size == (sizeof(struct wilc_attr_oper_ch) - sizeof(*e)))