mwifiex: Abort at too short BSS descriptor element

Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that
the source descriptor entries contain the enough size for each type
and performs copying without checking the source size.  This may lead
to read over boundary.

Fix this by putting the source size check in appropriate places.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

1 files changed, 15 insertions, 0 deletions

diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
index 64ab6fe78c0d..c269a0de9413 100644
--- a/drivers/net/wireless/marvell/mwifiex/scan.c
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
@@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
                         break;
 
                 case WLAN_EID_FH_PARAMS:
+                        if (element_len + 2 < sizeof(*fh_param_set))
+                                return -EINVAL;
                         fh_param_set =
                                 (struct ieee_types_fh_param_set *) current_ptr;
                         memcpy(&bss_entry->phy_param_set.fh_param_set,
@@ -1277,6 +1279,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
                         break;
 
                 case WLAN_EID_DS_PARAMS:
+                        if (element_len + 2 < sizeof(*ds_param_set))
+                                return -EINVAL;
                         ds_param_set =
                                 (struct ieee_types_ds_param_set *) current_ptr;
 
@@ -1288,6 +1292,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
                         break;
 
                 case WLAN_EID_CF_PARAMS:
+                        if (element_len + 2 < sizeof(*cf_param_set))
+                                return -EINVAL;
                         cf_param_set =
                                 (struct ieee_types_cf_param_set *) current_ptr;
                         memcpy(&bss_entry->ss_param_set.cf_param_set,
@@ -1296,6 +1302,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
                         break;
 
                 case WLAN_EID_IBSS_PARAMS:
+                        if (element_len + 2 < sizeof(*ibss_param_set))
+                                return -EINVAL;
                         ibss_param_set =
                                 (struct ieee_types_ibss_param_set *)
                                 current_ptr;
@@ -1305,10 +1313,14 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
                         break;
 
                 case WLAN_EID_ERP_INFO:
+                        if (!element_len)
+                                return -EINVAL;
                         bss_entry->erp_flags = *(current_ptr + 2);
                         break;
 
                 case WLAN_EID_PWR_CONSTRAINT:
+                        if (!element_len)
+                                return -EINVAL;
                         bss_entry->local_constraint = *(current_ptr + 2);
                         bss_entry->sensed_11h = true;
                         break;
@@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
                         break;
 
                 case WLAN_EID_VENDOR_SPECIFIC:
+                        if (element_len + 2 < sizeof(vendor_ie->vend_hdr))
+                                return -EINVAL;
+
                         vendor_ie = (struct ieee_types_vendor_specific *)
                                         current_ptr;