Re: [PATCH 1/2] HE: fix ieee80211_he_capabilities size

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Monday, 1 July 2019 15:13:48 CEST John Crispin wrote:
> 
> On 01/07/2019 15:00, Sven Eckelmann wrote:
> > On Monday, 1 July 2019 14:39:25 CEST John Crispin wrote:
> >> @@ -325,7 +353,7 @@ u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
> >>   {
> >>          if (!he_capab || !hapd->iconf->ieee80211ax ||
> >>              !check_valid_he_mcs(hapd, he_capab, opmode) ||
> >> -           he_capab_len > sizeof(struct ieee80211_he_capabilities)) {
> >> +           ieee80211_check_he_cap_size(he_capab, he_capab_len)) {
> >>                  sta->flags &= ~WLAN_STA_HE;
> >>                  os_free(sta->he_capab);
> >>                  sta->he_capab = NULL;
> >> @@ -334,13 +362,13 @@ u16 copy_sta_he_capab(struct hostapd_data *hapd, struct sta_info *sta,
> >>   
> >>          if (!sta->he_capab) {
> >>                  sta->he_capab =
> >> -                       os_zalloc(sizeof(struct ieee80211_he_capabilities));
> >> +                       os_zalloc(he_capab_len);
> >>                  if (!sta->he_capab)
> >>                          return WLAN_STATUS_UNSPECIFIED_FAILURE;
> >>          }
> >>   
> >>          sta->flags |= WLAN_STA_HE;
> >> -       os_memset(sta->he_capab, 0, sizeof(struct ieee80211_he_capabilities));
> >> +       os_memset(sta->he_capab, 0, he_capab_len);
> >>          os_memcpy(sta->he_capab, he_capab, he_capab_len);
> >>          sta->he_capab_len = he_capab_len;
> > Isn't this creating the same sta->he_capab size uncertainty which Jouni
> > previously found in the old version of the patch [1].
> >
> > Kind regards,
> > 	Sven
> >
> no, the call to ieee80211_check_he_cap_size(he_capab, he_capab_len) will 
> make sure the length is valid

I think we are talking about two different things.  sta->he_capab is either 
NULL or has a size X. This size X is not checked anywhere. Please think about 
following scenario:

* first round of copy_sta_he_capab for sta
  - copy_sta_he_capab is called for size X, sta->he_capab is NULL
  - ieee80211_check_he_cap_size doesn't detect wrong he_capab_len
    (he_capab requires size X == he_capab_len)
  - sta->he_capab is allocated with size X
  - memcpy happens with size X
* second round of copy_sta_he_capab for sta
  - copy_sta_he_capab is called for size Y (Y > X), sta->he_capab is of size Y
  - ieee80211_check_he_cap_size doesn't detect wrong he_capab_len
    (he_capab requires size Y == he_capab_len)
  - sta->he_capab is not reallocated
  - memcpy happens with size Y -> *buffer overflow on heap*

Kind regards,
	Sven

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux