mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings

mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and mwifiex_set_wmm_params() call memcpy() without checking the destination size.Since the source is given from user-space, this may trigger a heap buffer overflow. Fix them by putting the length check before performing memcpy(). This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816. Signed-off-by: Wen Huang <huangwenabc@gmail.com> Acked-by: Ganapathi Bhat <gbhat@marvell.comg> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
author: Wen Huang <huangwenabc@gmail.com> 2019-08-27 22:07:51 -0400
committer: Kalle Valo <kvalo@codeaurora.org> 2019-09-03 09:50:21 -0400
commit: 7caac62ed598a196d6ddf8d9c121e12e082cac3a (patch)
tree: 926f8c0a3bb5c8cff8ee3a1d5d8a4a85e94e853b /drivers/net/wireless
parent: 70702265a04aa0ce5a7bde77d13456209992b32f (diff)
2 files changed, 11 insertions, 1 deletions
diff --git a/drivers/net/wireless/marvell/mwifiex/ie.c b/drivers/net/wireless/marvell/mwifiex/ie.c
index 653d347a9a19..580387f9f12a 100644
--- a/drivers/net/wireless/marvell/mwifiex/ie.c
+++ b/drivers/net/wireless/marvell/mwifiex/ie.c
@@ -241,6 +241,9 @@ static int mwifiex_update_vs_ie(const u8 *ies, int ies_len,
                }
                vs_ie = (struct ieee_types_header *)vendor_ie;
+                if (le16_to_cpu(ie->ie_length) + vs_ie->len + 2 >
+                        IEEE_MAX_IE_SIZE)
+                        return -EINVAL;
                memcpy(ie->ie_buffer + le16_to_cpu(ie->ie_length),
                       vs_ie, vs_ie->len + 2);
                le16_unaligned_add_cpu(&ie->ie_length, vs_ie->len + 2);
diff --git a/drivers/net/wireless/marvell/mwifiex/uap_cmd.c b/drivers/net/wireless/marvell/mwifiex/uap_cmd.c
index 18f7d9bf30b2..0939a8c8f3ab 100644
--- a/drivers/net/wireless/marvell/mwifiex/uap_cmd.c
+++ b/drivers/net/wireless/marvell/mwifiex/uap_cmd.c
@@ -265,6 +265,8 @@ mwifiex_set_uap_rates(struct mwifiex_uap_bss_param *bss_cfg,
        rate_ie = (void *)cfg80211_find_ie(WLAN_EID_SUPP_RATES, var_pos, len);
        if (rate_ie) {
+                if (rate_ie->len > MWIFIEX_SUPPORTED_RATES)
+                        return;
                memcpy(bss_cfg->rates, rate_ie + 1, rate_ie->len);
                rate_len = rate_ie->len;
        }
@@ -272,8 +274,11 @@ mwifiex_set_uap_rates(struct mwifiex_uap_bss_param *bss_cfg,
        rate_ie = (void *)cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES,
                                           params->beacon.tail,
                                           params->beacon.tail_len);
-        if (rate_ie)
+        if (rate_ie) {
+                if (rate_ie->len > MWIFIEX_SUPPORTED_RATES - rate_len)
+                        return;
                memcpy(bss_cfg->rates + rate_len, rate_ie + 1, rate_ie->len);
+        }
        return;
 }
@@ -391,6 +396,8 @@ mwifiex_set_wmm_params(struct mwifiex_private *priv,
                                            params->beacon.tail_len);
        if (vendor_ie) {
                wmm_ie = vendor_ie;
+                if (*(wmm_ie + 1) > sizeof(struct mwifiex_types_wmm_info))
+                        return;
                memcpy(&bss_cfg->wmm_info, wmm_ie +
                       sizeof(struct ieee_types_header), *(wmm_ie + 1));
                priv->wmm_enabled = 1;
author	Wen Huang <huangwenabc@gmail.com>	2019-08-27 22:07:51 -0400
committer	Kalle Valo <kvalo@codeaurora.org>	2019-09-03 09:50:21 -0400
commit	7caac62ed598a196d6ddf8d9c121e12e082cac3a (patch)
tree	926f8c0a3bb5c8cff8ee3a1d5d8a4a85e94e853b /drivers/net/wireless
parent	70702265a04aa0ce5a7bde77d13456209992b32f (diff)