Home Explore Help
Register Sign In
wareck
/
openwrt_lede
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
openwrt_lede
/
package
/
kernel
/
mac80211
/
patches
/
347-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch

347-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch 2.1 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950 
  1. From e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d Mon Sep 17 00:00:00 2001
    2. 

  2. From: Dan Carpenter <dan.carpenter@oracle.com>
    3. 

  3. Date: Wed, 24 Apr 2019 12:52:18 +0300
    4. 

  4. Subject: [PATCH] brcm80211: potential NULL dereference in
    5. 

  5.  brcmf_cfg80211_vndr_cmds_dcmd_handler()
    6. 

  6. 

  7. If "ret_len" is negative then it could lead to a NULL dereference.
    8. 

  8. 

  9. The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
    10. 

  10. then we don't allocate the "dcmd_buf" buffer.  Then we pass "ret_len" to
    11. 

  11. brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
    12. 

  12. Most of the functions in that call tree check whether the buffer we pass
    13. 

  13. is NULL but there are at least a couple places which don't such as
    14. 

  14. brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd().  We memcpy() to and
    15. 

  15. from the buffer so it would result in a NULL dereference.
    16. 

  16. 

  17. The fix is to change the types so that "ret_len" can't be negative.  (If
    18. 

  18. we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
    19. 

  19. issue).
    20. 

  20. 

  21. Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command")
    22. 

  22. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    23. 

  23. Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    24. 

  24. ---
    25. 

  25.  drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c | 5 +++--
    26. 

  26.  1 file changed, 3 insertions(+), 2 deletions(-)
    27. 

  27. 

  28. --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
    29. 

  29. +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
    30. 

  30. @@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd
    31. 

  31.  	struct brcmf_if *ifp;
    32. 

  32.  	const struct brcmf_vndr_dcmd_hdr *cmdhdr = data;
    33. 

  33.  	struct sk_buff *reply;
    34. 

  34. -	int ret, payload, ret_len;
    35. 

  35. +	unsigned int payload, ret_len;
    36. 

  36.  	void *dcmd_buf = NULL, *wr_pointer;
    37. 

  37.  	u16 msglen, maxmsglen = PAGE_SIZE - 0x100;
    38. 

  38. +	int ret;
    39. 

  39.  
    40. 

  40.  	if (len < sizeof(*cmdhdr)) {
    41. 

  41.  		brcmf_err("vendor command too short: %d\n", len);
    42. 

  42. @@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd
    43. 

  43.  			brcmf_err("oversize return buffer %d\n", ret_len);
    44. 

  44.  			ret_len = BRCMF_DCMD_MAXLEN;
    45. 

  45.  		}
    46. 

  46. -		payload = max(ret_len, len) + 1;
    47. 

  47. +		payload = max_t(unsigned int, ret_len, len) + 1;
    48. 

  48.  		dcmd_buf = vzalloc(payload);
    49. 

  49.  		if (NULL == dcmd_buf)
    50. 

  50.  			return -ENOMEM;
    51.