On Thu, Jun 13, 2019 at 08:12:39PM +0200, Takashi Iwai wrote: > On Thu, 13 Jun 2019 19:49:40 +0200, > Brian Norris wrote: > > On Wed, May 29, 2019 at 02:52:20PM +0200, Takashi Iwai wrote: > > > --- a/drivers/net/wireless/marvell/mwifiex/scan.c > > > +++ b/drivers/net/wireless/marvell/mwifiex/scan.c > > > @@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, > > > break; > > > > > > case WLAN_EID_FH_PARAMS: > > > + if (element_len + 2 < sizeof(*fh_param_set)) > > > > "element_len + 2" would be much more readable as "total_ie_len". (Same for > > several other usages in this patch.) I can send such a patch myself as a > > follow-up I suppose. > > Yes, please. I'll wait until we straighten out the other (potentially) real bug. Don't want to make needless conflicts. > > > + return -EINVAL; > > > fh_param_set = > > > (struct ieee_types_fh_param_set *) current_ptr; > > > memcpy(&bss_entry->phy_param_set.fh_param_set, > > > > [...] > > > > > @@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, > > > break; > > > > > > case WLAN_EID_VENDOR_SPECIFIC: > > > + if (element_len + 2 < sizeof(vendor_ie->vend_hdr)) > > > > Why 'sizeof(vendor_ie->vend_hdr)'? The (mwifiex-specific compare with the > > ieee80211.h generic struct ieee80211_vendor_ie) ieee_types_vendor_header struct > > includes the 'oui_subtype' and 'version' fields, which are not standard > > requirements for the vendor header (in fact, even the 4th byte of the > > OUI -- "oui_type" -- doesn't appear to be in the 802.11 specification). > > So it looks to me like you might be rejecting valid vendor headers (that > > we should just be skipping) that might have vendor-specific content with > > length 0 or 1 bytes. > > > > It seems like we should only be validating the standard pieces (e.g., up to the > > length/OUI), and only after an appropriate OUI match, *then* validating the rest of > > the vendor element (the pieces we'll use later). > > Hm, right, that looks too strict. Instead we need to check right > before both memcmp()'s of OUI. I think this is the right place for one check (the memcmp() is right after this line anyway) -- the minimum length just should be smaller. e.g.: sizeof(struct ieee80211_vendor_ie) // this is still technically 1 byte too large I think or offsetof(struct ieee80211_vendor_ie, oui_type) // not sure if this is the cleanest... If it's smaller than that, we can still say -EINVAL. Then, we can go with: if (element_len < sizeof(wpa_oui) continue; or similar. So, I might say: /* Vendor IEs must at least contain the OUI. */ if (total_ie_len < offsetof(struct ieee80211_vendor_ie, oui_type)) return -EINVAL; /* If the IE still isn't long enough, it's not a match. */ if (element_len < sizeof(wpa_oui)) continue; Brian
