mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings

mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and mwifiex_set_wmm_params() call memcpy() without checking the destination size.Since the source is given from user-space, this may trigger a heap buffer overflow. Fix them by putting the length check before performing memcpy(). This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816. Signed-off-by: Wen Huang <huangwenabc@gmail.com> Acked-by: Ganapathi Bhat <gbhat@marvell.comg> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
author: Wen Huang <huangwenabc@gmail.com> 2019-08-28 10:07:51 +0800
committer: Kalle Valo <kvalo@codeaurora.org> 2019-09-03 16:50:21 +0300
commit: 7caac62ed598a196d6ddf8d9c121e12e082cac3a (patch)
tree: 926f8c0a3bb5c8cff8ee3a1d5d8a4a85e94e853b /drivers/net/wireless/marvell/mwifiex/ie.c
parent: 70702265a04aa0ce5a7bde77d13456209992b32f (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/net/wireless/marvell/mwifiex/ie.c b/drivers/net/wireless/marvell/mwifiex/ie.c
index 653d347a9a19..580387f9f12a 100644
--- a/drivers/net/wireless/marvell/mwifiex/ie.c
+++ b/drivers/net/wireless/marvell/mwifiex/ie.c
@@ -241,6 +241,9 @@ static int mwifiex_update_vs_ie(const u8 *ies, int ies_len,
 		}
 
 		vs_ie = (struct ieee_types_header *)vendor_ie;
+		if (le16_to_cpu(ie->ie_length) + vs_ie->len + 2 >
+			IEEE_MAX_IE_SIZE)
+			return -EINVAL;
 		memcpy(ie->ie_buffer + le16_to_cpu(ie->ie_length),
 		       vs_ie, vs_ie->len + 2);
 		le16_unaligned_add_cpu(&ie->ie_length, vs_ie->len + 2);
author	Wen Huang <huangwenabc@gmail.com>	2019-08-28 10:07:51 +0800
committer	Kalle Valo <kvalo@codeaurora.org>	2019-09-03 16:50:21 +0300
commit	7caac62ed598a196d6ddf8d9c121e12e082cac3a (patch)
tree	926f8c0a3bb5c8cff8ee3a1d5d8a4a85e94e853b /drivers/net/wireless/marvell/mwifiex/ie.c
parent	70702265a04aa0ce5a7bde77d13456209992b32f (diff)