1 From foo@baz Sat Sep 29 04:29:21 PDT 2018
2 From: Dan Carpenter <dan.carpenter@oracle.com>
3 Date: Tue, 5 Jun 2018 14:31:39 +0300
4 Subject: rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
6 From: Dan Carpenter <dan.carpenter@oracle.com>
8 [ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ]
10 This is a static checker fix, not something I have tested. The issue
11 is that on the second iteration through the loop, we jump forward by
12 le32_to_cpu(auth_req->length) bytes. The problem is that if the length
13 is more than "buflen" then we end up with a negative "buflen". A
14 negative buflen is type promoted to a high positive value and the loop
15 continues but it's accessing beyond the end of the buffer.
17 I believe the "auth_req->length" comes from the firmware and if the
18 firmware is malicious or buggy, you're already toasted so the impact of
19 this bug is probably not very severe.
21 Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device")
22 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
23 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
24 Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
25 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
27 drivers/net/wireless/rndis_wlan.c | 2 ++
28 1 file changed, 2 insertions(+)
30 --- a/drivers/net/wireless/rndis_wlan.c
31 +++ b/drivers/net/wireless/rndis_wlan.c
32 @@ -2921,6 +2921,8 @@ static void rndis_wlan_auth_indication(s
34 while (buflen >= sizeof(*auth_req)) {
35 auth_req = (void *)buf;
36 + if (buflen < le32_to_cpu(auth_req->length))
39 flags = le32_to_cpu(auth_req->flags);
40 pairwise_error = false;