--- /dev/null
+From 7caac62ed598a196d6ddf8d9c121e12e082cac3a Mon Sep 17 00:00:00 2001
+From: Wen Huang <huangwenabc@gmail.com>
+Date: Wed, 28 Aug 2019 10:07:51 +0800
+Subject: mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
+
+From: Wen Huang <huangwenabc@gmail.com>
+
+commit 7caac62ed598a196d6ddf8d9c121e12e082cac3a upstream.
+
+mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and
+mwifiex_set_wmm_params() call memcpy() without checking
+the destination size.Since the source is given from
+user-space, this may trigger a heap buffer overflow.
+
+Fix them by putting the length check before performing memcpy().
+
+This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816.
+
+Signed-off-by: Wen Huang <huangwenabc@gmail.com>
+Acked-by: Ganapathi Bhat <gbhat@marvell.comg>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/ie.c | 3 +++
+ drivers/net/wireless/mwifiex/uap_cmd.c | 9 ++++++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mwifiex/ie.c
++++ b/drivers/net/wireless/mwifiex/ie.c
+@@ -240,6 +240,9 @@ static int mwifiex_update_vs_ie(const u8
+ }
+
+ vs_ie = (struct ieee_types_header *)vendor_ie;
++ if (le16_to_cpu(ie->ie_length) + vs_ie->len + 2 >
++ IEEE_MAX_IE_SIZE)
++ return -EINVAL;
+ memcpy(ie->ie_buffer + le16_to_cpu(ie->ie_length),
+ vs_ie, vs_ie->len + 2);
+ le16_add_cpu(&ie->ie_length, vs_ie->len + 2);
+--- a/drivers/net/wireless/mwifiex/uap_cmd.c
++++ b/drivers/net/wireless/mwifiex/uap_cmd.c
+@@ -286,6 +286,8 @@ mwifiex_set_uap_rates(struct mwifiex_uap
+
+ rate_ie = (void *)cfg80211_find_ie(WLAN_EID_SUPP_RATES, var_pos, len);
+ if (rate_ie) {
++ if (rate_ie->len > MWIFIEX_SUPPORTED_RATES)
++ return;
+ memcpy(bss_cfg->rates, rate_ie + 1, rate_ie->len);
+ rate_len = rate_ie->len;
+ }
+@@ -293,8 +295,11 @@ mwifiex_set_uap_rates(struct mwifiex_uap
+ rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES,
+ params->beacon.tail,
+ params->beacon.tail_len);
+- if (rate_ie)
++ if (rate_ie) {
++ if (rate_ie->len > MWIFIEX_SUPPORTED_RATES - rate_len)
++ return;
+ memcpy(bss_cfg->rates + rate_len, rate_ie + 1, rate_ie->len);
++ }
+
+ return;
+ }
+@@ -412,6 +417,8 @@ mwifiex_set_wmm_params(struct mwifiex_pr
+ params->beacon.tail_len);
+ if (vendor_ie) {
+ wmm_ie = (struct ieee_types_header *)vendor_ie;
++ if (*(wmm_ie + 1) > sizeof(struct mwifiex_types_wmm_info))
++ return;
+ memcpy(&bss_cfg->wmm_info, wmm_ie + 1,
+ sizeof(bss_cfg->wmm_info));
+ priv->wmm_enabled = 1;
projects / thirdparty / kernel / stable-queue.git / commitdiff
