From 7a84a8a9f879605eedf726b4a72340e85184212f Mon Sep 17 00:00:00 2001 From: Wen Huang Date: Tue, 26 Nov 2019 09:39:00 +0100 Subject: [PATCH] UBUNTU: SAUCE: libertas: Fix two buffer overflows at parsing bss descriptor add_ie_rates() copys rates without checking the length in bss descriptor from remote AP.when victim connects to remote attacker, this may trigger buffer overflow. lbs_ibss_join_existing() copys rates without checking the length in bss descriptor from remote IBSS node.when victim connects to remote attacker, this may trigger buffer overflow. Fix them by putting the length check before performing copy. This fix addresses CVE-2019-14896 and CVE-2019-14897. Signed-off-by: Wen Huang CVE-2019-14896 CVE-2019-14897 (cherry picked from https://patchwork.kernel.org/patch/11257187/) Signed-off-by: Stefan Bader Acked-by: Kleber Sacilotto de Souza Acked-by: Andrea Righi Signed-off-by: Kleber Sacilotto de Souza --- drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c index f99031cfdf86..57876e6c6495 100644 --- a/drivers/net/wireless/marvell/libertas/cfg.c +++ b/drivers/net/wireless/marvell/libertas/cfg.c @@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int *nrates) int hw, ap, ap_max = ie[1]; u8 hw_rate; + if (ap_max > MAX_RATES) { + lbs_deb_assoc("invalid rates\n"); + return tlv; + } /* Advance past IE header */ ie += 2; @@ -1777,6 +1781,10 @@ static int lbs_ibss_join_existing(struct lbs_private *priv, } else { int hw, i; u8 rates_max = rates_eid[1]; + if (rates_max > MAX_RATES) { + lbs_deb_join("invalid rates"); + goto out; + } u8 *rates = cmd.bss.rates; for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { u8 hw_rate = lbs_rates[hw].bitrate / 5; -- 2.39.2