In cfg80211 flow, when handling userspace netlink messages
if input cipher mode is WLAN_CIPHER_SUITE_SMS4
will make cfg80211_validate_key_settings not check key_len and seq_len
which will cause controllable memcpy overwrite
So needs to check them in mwifiex_set_encode.
Signed-off-by: pinkperfect <pinkperfect2021@xxxxxxxxx>
---
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
index a2ad2b53f016..bddc11eac8a9 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
@@ -1099,6 +1099,11 @@ int mwifiex_set_encode(struct mwifiex_private *priv, struct key_params *kp,
{
struct mwifiex_ds_encrypt_key encrypt_key;
+ if (key_len > WLAN_MAX_KEY_LEN || (kp && kp->seq_len > PN_LEN)) {
+ mwifiex_dbg(priv->adapter, ERROR, "invalid parameters");
+ return -1;
+ }
+
memset(&encrypt_key, 0, sizeof(encrypt_key));
encrypt_key.key_len = key_len;
encrypt_key.key_index = key_index;
--
2.25.1
