subject:"\"\\\[PATCH v2\\\] rtlwifi\\\: Fix potential overflow on P2P code\""

Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

2019-10-23 Thread Kalle Valo

Laura Abbott  wrote:

> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
> 
> Reported-by: Nicolas Waisman 
> Signed-off-by: Laura Abbott 
> Acked-by: Ping-Ke Shih 

Patch applied to wireless-drivers.git, thanks.

8c55dedb795b rtlwifi: Fix potential overflow on P2P code

-- 
https://patchwork.kernel.org/patch/11198315/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

2019-10-19 Thread Kalle Valo

Laura Abbott  writes:

> On 10/19/19 6:51 AM, Kalle Valo wrote:
>> Laura Abbott  writes:
>>
>>> Nicolas Waisman noticed that even though noa_len is checked for
>>> a compatible length it's still possible to overrun the buffers
>>> of p2pinfo since there's no check on the upper bound of noa_num.
>>> Bound noa_num against P2P_MAX_NOA_NUM.
>>>
>>> Reported-by: Nicolas Waisman 
>>> Signed-off-by: Laura Abbott 
>>> ---
>>> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
>>> ---
>>>   drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++
>>>   1 file changed, 6 insertions(+)
>>>
>>> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c 
>>> b/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> index 70f04c2f5b17..fff8dda14023 100644
>>> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
>>> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, 
>>> void *data,
>>> return;
>>> } else {
>>> noa_num = (noa_len - 2) / 13;
>>> +   if (noa_num > P2P_MAX_NOA_NUM)
>>> +   noa_num = P2P_MAX_NOA_NUM;
>>> +
>>> }
>>> noa_index = ie[3];
>>> if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
>>> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, 
>>> void *data,
>>> return;
>>> } else {
>>> noa_num = (noa_len - 2) / 13;
>>> +   if (noa_num > P2P_MAX_NOA_NUM)
>>> +   noa_num = P2P_MAX_NOA_NUM;
>>
>> IMHO using min() would be cleaner, but I'm fine with this as well. Up to
>> you.
>>
>
> I believe the intention is to re-write this anyway so I'd prefer to
> just get this in given the uptick this issue seems to have gotten.

Ok, I'll queue this to v5.4.

-- 
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

2019-10-19 Thread Laura Abbott


On 10/19/19 6:51 AM, Kalle Valo wrote:

Laura Abbott  writes:


Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bound noa_num against P2P_MAX_NOA_NUM.

Reported-by: Nicolas Waisman 
Signed-off-by: Laura Abbott 
---
v2: Use P2P_MAX_NOA_NUM instead of erroring out.
---
  drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++
  1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c 
b/drivers/net/wireless/realtek/rtlwifi/ps.c
index 70f04c2f5b17..fff8dda14023 100644
--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
+++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
@@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void 
*data,
return;
} else {
noa_num = (noa_len - 2) / 13;
+   if (noa_num > P2P_MAX_NOA_NUM)
+   noa_num = P2P_MAX_NOA_NUM;
+
}
noa_index = ie[3];
if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
@@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void 
*data,
return;
} else {
noa_num = (noa_len - 2) / 13;
+   if (noa_num > P2P_MAX_NOA_NUM)
+   noa_num = P2P_MAX_NOA_NUM;


IMHO using min() would be cleaner, but I'm fine with this as well. Up to
you.



I believe the intention is to re-write this anyway so I'd prefer to
just get this in given the uptick this issue seems to have gotten.

Thanks,
Laura

Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

2019-10-19 Thread Kalle Valo

Pkshih  writes:

> On Fri, 2019-10-18 at 07:43 -0400, Laura Abbott wrote:
>> Nicolas Waisman noticed that even though noa_len is checked for
>> a compatible length it's still possible to overrun the buffers
>> of p2pinfo since there's no check on the upper bound of noa_num.
>> Bound noa_num against P2P_MAX_NOA_NUM.
>> 
>> Reported-by: Nicolas Waisman 
>> Signed-off-by: Laura Abbott 
>
> Acked-by: Ping-Ke Shih 
> and Please CC to stable
> Cc: Stable  # 4.4+
>
> ---
>
> Hi Kalle,
>
> This bug was existing since v3.10, and directory of wireless drivers were
> moved at v4.4. Do I need send another patch to fix this issue for longterm
> kernel v3.16.75?

Yeah, I think you need to send a separate patch to the stable list
(after this commit is in Linus' tree).

-- 
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

2019-10-19 Thread Kalle Valo

Laura Abbott  writes:

> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
>
> Reported-by: Nicolas Waisman 
> Signed-off-by: Laura Abbott 
> ---
> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
> ---
>  drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++
>  1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c 
> b/drivers/net/wireless/realtek/rtlwifi/ps.c
> index 70f04c2f5b17..fff8dda14023 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void 
> *data,
>   return;
>   } else {
>   noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
> +
>   }
>   noa_index = ie[3];
>   if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, 
> void *data,
>   return;
>   } else {
>   noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;

IMHO using min() would be cleaner, but I'm fine with this as well. Up to
you.

-- 
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

2019-10-18 Thread Pkshih

On Fri, 2019-10-18 at 07:43 -0400, Laura Abbott wrote:
> Nicolas Waisman noticed that even though noa_len is checked for
> a compatible length it's still possible to overrun the buffers
> of p2pinfo since there's no check on the upper bound of noa_num.
> Bound noa_num against P2P_MAX_NOA_NUM.
> 
> Reported-by: Nicolas Waisman 
> Signed-off-by: Laura Abbott 

Acked-by: Ping-Ke Shih 
and Please CC to stable
Cc: Stable  # 4.4+

---

Hi Kalle,

This bug was existing since v3.10, and directory of wireless drivers were
moved at v4.4. Do I need send another patch to fix this issue for longterm
kernel v3.16.75?

Thanks
PK


> ---
> v2: Use P2P_MAX_NOA_NUM instead of erroring out.
> ---
>  drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c
> b/drivers/net/wireless/realtek/rtlwifi/ps.c
> index 70f04c2f5b17..fff8dda14023 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/ps.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
> @@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void
> *data,
>   return;
>   } else {
>   noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
> +
>   }
>   noa_index = ie[3];
>   if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
> @@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw,
> void *data,
>   return;
>   } else {
>   noa_num = (noa_len - 2) / 13;
> + if (noa_num > P2P_MAX_NOA_NUM)
> + noa_num = P2P_MAX_NOA_NUM;
> +
>   }
>   noa_index = ie[3];
>   if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==

[PATCH v2] rtlwifi: Fix potential overflow on P2P code

2019-10-18 Thread Laura Abbott

Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bound noa_num against P2P_MAX_NOA_NUM.

Reported-by: Nicolas Waisman 
Signed-off-by: Laura Abbott 
---
v2: Use P2P_MAX_NOA_NUM instead of erroring out.
---
 drivers/net/wireless/realtek/rtlwifi/ps.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c 
b/drivers/net/wireless/realtek/rtlwifi/ps.c
index 70f04c2f5b17..fff8dda14023 100644
--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
+++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
@@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void 
*data,
return;
} else {
noa_num = (noa_len - 2) / 13;
+   if (noa_num > P2P_MAX_NOA_NUM)
+   noa_num = P2P_MAX_NOA_NUM;
+
}
noa_index = ie[3];
if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
@@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void 
*data,
return;
} else {
noa_num = (noa_len - 2) / 13;
+   if (noa_num > P2P_MAX_NOA_NUM)
+   noa_num = P2P_MAX_NOA_NUM;
+
}
noa_index = ie[3];
if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
-- 
2.21.0

Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

Re: [PATCH v2] rtlwifi: Fix potential overflow on P2P code

[PATCH v2] rtlwifi: Fix potential overflow on P2P code

7 matches

Site Navigation

Mail list logo

Footer information