releases/4.9.131/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch

   1 From foo@baz Sat Sep 29 04:29:21 PDT 2018
   2 From: Dan Carpenter <dan.carpenter@oracle.com>
   3 Date: Tue, 5 Jun 2018 14:31:39 +0300
   4 Subject: rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
   5
   6 From: Dan Carpenter <dan.carpenter@oracle.com>
   7
   8 [ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ]
   9
  10 This is a static checker fix, not something I have tested.  The issue
  11 is that on the second iteration through the loop, we jump forward by
  12 le32_to_cpu(auth_req->length) bytes.  The problem is that if the length
  13 is more than "buflen" then we end up with a negative "buflen".  A
  14 negative buflen is type promoted to a high positive value and the loop
  15 continues but it's accessing beyond the end of the buffer.
  16
  17 I believe the "auth_req->length" comes from the firmware and if the
  18 firmware is malicious or buggy, you're already toasted so the impact of
  19 this bug is probably not very severe.
  20
  21 Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device")
  22 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
  23 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  24 Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
  25 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  26 ---
  27  drivers/net/wireless/rndis_wlan.c |    2 ++
  28  1 file changed, 2 insertions(+)
  29
  30 --- a/drivers/net/wireless/rndis_wlan.c
  31 +++ b/drivers/net/wireless/rndis_wlan.c
  32 @@ -2921,6 +2921,8 @@ static void rndis_wlan_auth_indication(s
  33
  34         while (buflen >= sizeof(*auth_req)) {
  35                 auth_req = (void *)buf;
  36 +               if (buflen < le32_to_cpu(auth_req->length))
  37 +                       return;
  38                 type = "unknown";
  39                 flags = le32_to_cpu(auth_req->flags);
  40                 pairwise_error = false;