Skip to content

Commit 0cdfa9e

Browse files
philipturnbullKalle Valo
authored and
Kalle Valo
committed
wifi: wilc1000: validate number of channels
There is no validation of 'e->no_of_channels' which can trigger an out-of-bounds write in the following 'memset' call. Validate that the number of channels does not extends beyond the size of the channel list element. Signed-off-by: Phil Turnbull <philipturnbull@github.com> Tested-by: Ajay Kathat <ajay.kathat@microchip.com> Acked-by: Ajay Kathat <ajay.kathat@microchip.com> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20221123153543.8568-5-philipturnbull@github.com
1 parent f9b62f9 commit 0cdfa9e

File tree

1 file changed

+16
-6
lines changed

1 file changed

+16
-6
lines changed

Diff for: drivers/net/wireless/microchip/wilc1000/cfg80211.c

+16-6
Original file line numberDiff line numberDiff line change
@@ -981,19 +981,29 @@ static inline void wilc_wfi_cfg_parse_ch_attr(u8 *buf, u32 len, u8 sta_ch)
981981
}
982982

983983
if (ch_list_idx) {
984-
u16 attr_size;
985-
struct wilc_ch_list_elem *e;
986-
int i;
984+
u16 elem_size;
987985

988986
ch_list = (struct wilc_attr_ch_list *)&buf[ch_list_idx];
989-
attr_size = le16_to_cpu(ch_list->attr_len);
990-
for (i = 0; i < attr_size;) {
987+
/* the number of bytes following the final 'elem' member */
988+
elem_size = le16_to_cpu(ch_list->attr_len) -
989+
(sizeof(*ch_list) - sizeof(struct wilc_attr_entry));
990+
for (unsigned int i = 0; i < elem_size;) {
991+
struct wilc_ch_list_elem *e;
992+
991993
e = (struct wilc_ch_list_elem *)(ch_list->elem + i);
994+
995+
i += sizeof(*e);
996+
if (i > elem_size)
997+
break;
998+
999+
i += e->no_of_channels;
1000+
if (i > elem_size)
1001+
break;
1002+
9921003
if (e->op_class == WILC_WLAN_OPERATING_CLASS_2_4GHZ) {
9931004
memset(e->ch_list, sta_ch, e->no_of_channels);
9941005
break;
9951006
}
996-
i += e->no_of_channels;
9971007
}
9981008
}
9991009

0 commit comments

Comments
 (0)