Skip to content
Permalink
Browse files Browse the repository at this point in the history
wifi: wilc1000: validate number of channels
There is no validation of 'e->no_of_channels' which can trigger an
out-of-bounds write in the following 'memset' call. Validate that the
number of channels does not extends beyond the size of the channel list
element.

Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221123153543.8568-5-philipturnbull@github.com
  • Loading branch information
philipturnbull authored and Kalle Valo committed Nov 24, 2022
1 parent f9b62f9 commit 0cdfa9e
Showing 1 changed file with 16 additions and 6 deletions.
22 changes: 16 additions & 6 deletions drivers/net/wireless/microchip/wilc1000/cfg80211.c
Expand Up @@ -981,19 +981,29 @@ static inline void wilc_wfi_cfg_parse_ch_attr(u8 *buf, u32 len, u8 sta_ch)
}

if (ch_list_idx) {
u16 attr_size;
struct wilc_ch_list_elem *e;
int i;
u16 elem_size;

ch_list = (struct wilc_attr_ch_list *)&buf[ch_list_idx];
attr_size = le16_to_cpu(ch_list->attr_len);
for (i = 0; i < attr_size;) {
/* the number of bytes following the final 'elem' member */
elem_size = le16_to_cpu(ch_list->attr_len) -
(sizeof(*ch_list) - sizeof(struct wilc_attr_entry));
for (unsigned int i = 0; i < elem_size;) {
struct wilc_ch_list_elem *e;

e = (struct wilc_ch_list_elem *)(ch_list->elem + i);

i += sizeof(*e);
if (i > elem_size)
break;

i += e->no_of_channels;
if (i > elem_size)
break;

if (e->op_class == WILC_WLAN_OPERATING_CLASS_2_4GHZ) {
memset(e->ch_list, sta_ch, e->no_of_channels);
break;
}
i += e->no_of_channels;
}
}

Expand Down

0 comments on commit 0cdfa9e

Please sign in to comment.