brcmfmac: add length check in brcmf_cfg80211_escan_handler()

Upon handling the firmware notification for scans the length was checked properly and may result in corrupting kernel heap memory due to buffer overruns. This fix addresses CVE-2017-0786. Cc: stable@vger.kernel.org # v4.0.x Cc: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> Reviewed-by: Franky Lin <franky.lin@broadcom.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
author: Arend Van Spriel <arend.vanspriel@broadcom.com> 2017-09-12 04:47:53 -0400
committer: Kalle Valo <kvalo@codeaurora.org> 2017-09-20 00:46:29 -0400
commit: 17df6453d4be17910456e99c5a85025aa1b7a246 (patch)
tree: ef84bc921d2e6fda33f14a1c5e3af899674bbc33 /drivers/net/wireless
parent: 4c707c04f622a7a8570a8db6389e5a2310b92195 (diff)
1 files changed, 15 insertions, 3 deletions
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index aaed4ab503ad..26a0de371c26 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -3162,6 +3162,7 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
        struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
        s32 status;
        struct brcmf_escan_result_le *escan_result_le;
+        u32 escan_buflen;
        struct brcmf_bss_info_le *bss_info_le;
        struct brcmf_bss_info_le *bss = NULL;
        u32 bi_length;
@@ -3181,11 +3182,23 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
        if (status == BRCMF_E_STATUS_PARTIAL) {
                brcmf_dbg(SCAN, "ESCAN Partial result\n");
+                if (e->datalen < sizeof(*escan_result_le)) {
+                        brcmf_err("invalid event data length\n");
+                        goto exit;
+                }
                escan_result_le = (struct brcmf_escan_result_le *) data;
                if (!escan_result_le) {
                        brcmf_err("Invalid escan result (NULL pointer)\n");
                        goto exit;
                }
+                escan_buflen = le32_to_cpu(escan_result_le->buflen);
+                if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
+                    escan_buflen > e->datalen ||
+                    escan_buflen < sizeof(*escan_result_le)) {
+                        brcmf_err("Invalid escan buffer length: %d\n",
+                                  escan_buflen);
+                        goto exit;
+                }
                if (le16_to_cpu(escan_result_le->bss_count) != 1) {
                        brcmf_err("Invalid bss_count %d: ignoring\n",
                                  escan_result_le->bss_count);
@@ -3202,9 +3215,8 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp,
                }
                bi_length = le32_to_cpu(bss_info_le->length);
-                if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
+                if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
-                                        WL_ESCAN_RESULTS_FIXED_SIZE)) {
+                        brcmf_err("Ignoring invalid bss_info length: %d\n",
-                        brcmf_err("Invalid bss_info length %d: ignoring\n",
                                  bi_length);
                        goto exit;
                }
author	Arend Van Spriel <arend.vanspriel@broadcom.com>	2017-09-12 04:47:53 -0400
committer	Kalle Valo <kvalo@codeaurora.org>	2017-09-20 00:46:29 -0400
commit	17df6453d4be17910456e99c5a85025aa1b7a246 (patch)
tree	ef84bc921d2e6fda33f14a1c5e3af899674bbc33 /drivers/net/wireless
parent	4c707c04f622a7a8570a8db6389e5a2310b92195 (diff)