Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The "ie_len" variable is in the 0-255 range and it comes from the
network. If it's over NDIS_802_11_LENGTH_RATES_EX (16) then that will
lead to memory corruption.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200603101958.GA1845750@mwanda
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Dan Carpenter and committed by

Greg Kroah-Hartman 5 years ago b65a2d8c 29de523a

+3 -1

1 changed file

expand all

drivers

staging

rtl8723bs

core

rtw_wlan_util.c

+3 -1

drivers/staging/rtl8723bs/core/rtw_wlan_util.c

··· 1824 1824 pIE = (struct ndis_80211_var_ie *)rtw_get_ie(pvar_ie, _SUPPORTEDRATES_IE_, &ie_len, var_ie_len); 1825 1825 if (!pIE) 1826 1826 return _FAIL; 1827 + if (ie_len > sizeof(pmlmeinfo->FW_sta_info[cam_idx].SupportedRates)) 1828 + return _FAIL; 1827 1829 1828 1830 memcpy(pmlmeinfo->FW_sta_info[cam_idx].SupportedRates, pIE->data, ie_len); 1829 1831 supportRateNum = ie_len; 1830 1832 1831 1833 pIE = (struct ndis_80211_var_ie *)rtw_get_ie(pvar_ie, _EXT_SUPPORTEDRATES_IE_, &ie_len, var_ie_len); 1832 - if (pIE) 1834 + if (pIE && (ie_len <= sizeof(pmlmeinfo->FW_sta_info[cam_idx].SupportedRates) - supportRateNum)) 1833 1835 memcpy((pmlmeinfo->FW_sta_info[cam_idx].SupportedRates + supportRateNum), pIE->data, ie_len); 1834 1836 1835 1837 return _SUCCESS;