git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Dan Carpenter <dan.carpenter@oracle.com>
	Tue, 5 Jun 2018 11:31:39 +0000 (14:31 +0300)
committer	Juerg Haefliger <juergh@canonical.com>
	Wed, 24 Jul 2019 01:51:01 +0000 (19:51 -0600)
commit	6bd13c5e575eea4e71bae852ae76c6727ab01f0a
tree	0b2980162de2e170b77bc9400b0c61faaa2056fa	tree
parent	69458340c6e82415254f0c5599cc84a7530ba687	commit \| diff

rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()

BugLink: https://bugs.launchpad.net/bugs/1836287
[ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ]

This is a static checker fix, not something I have tested.  The issue
is that on the second iteration through the loop, we jump forward by
le32_to_cpu(auth_req->length) bytes.  The problem is that if the length
is more than "buflen" then we end up with a negative "buflen".  A
negative buflen is type promoted to a high positive value and the loop
continues but it's accessing beyond the end of the buffer.

I believe the "auth_req->length" comes from the firmware and if the
firmware is malicious or buggy, you're already toasted so the impact of
this bug is probably not very severe.

Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>