Date: Thu, 3 Aug 2017 07:50:46 +0000 (UTC) From: Hans Petter Selasky <hselasky@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r321980 - stable/11/sys/dev/usb/wlan Message-ID: <201708030750.v737okWI098302@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hselasky Date: Thu Aug 3 07:50:46 2017 New Revision: 321980 URL: https://svnweb.freebsd.org/changeset/base/321980 Log: MFC r321722: Properly range check length of parsed information elements in RSU driver. Found by: Ilja van Sprundel <ivansprundel@ioactive.com> Sponsored by: Mellanox Technologies Modified: stable/11/sys/dev/usb/wlan/if_rsu.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/dev/usb/wlan/if_rsu.c ============================================================================== --- stable/11/sys/dev/usb/wlan/if_rsu.c Thu Aug 3 07:42:08 2017 (r321979) +++ stable/11/sys/dev/usb/wlan/if_rsu.c Thu Aug 3 07:50:46 2017 (r321980) @@ -1481,6 +1481,8 @@ rsu_hwrssi_to_rssi(struct rsu_softc *sc, int hw_rssi) return (v); } +CTASSERT(MCLBYTES > sizeof(struct ieee80211_frame)); + static void rsu_event_survey(struct rsu_softc *sc, uint8_t *buf, int len) { @@ -1489,28 +1491,31 @@ rsu_event_survey(struct rsu_softc *sc, uint8_t *buf, i struct ndis_wlan_bssid_ex *bss; struct ieee80211_rx_stats rxs; struct mbuf *m; - int pktlen; + uint32_t ieslen; + uint32_t pktlen; if (__predict_false(len < sizeof(*bss))) return; bss = (struct ndis_wlan_bssid_ex *)buf; - if (__predict_false(len < sizeof(*bss) + le32toh(bss->ieslen))) + ieslen = le32toh(bss->ieslen); + /* range check length of information element */ + if (__predict_false(ieslen > (uint32_t)(len - sizeof(*bss)))) return; RSU_DPRINTF(sc, RSU_DEBUG_SCAN, "%s: found BSS %s: len=%d chan=%d inframode=%d " "networktype=%d privacy=%d, RSSI=%d\n", __func__, - ether_sprintf(bss->macaddr), le32toh(bss->len), + ether_sprintf(bss->macaddr), ieslen, le32toh(bss->config.dsconfig), le32toh(bss->inframode), le32toh(bss->networktype), le32toh(bss->privacy), le32toh(bss->rssi)); /* Build a fake beacon frame to let net80211 do all the parsing. */ /* XXX TODO: just call the new scan API methods! */ - pktlen = sizeof(*wh) + le32toh(bss->ieslen); - if (__predict_false(pktlen > MCLBYTES)) + if (__predict_false(ieslen > (size_t)(MCLBYTES - sizeof(*wh)))) return; + pktlen = sizeof(*wh) + ieslen; m = m_get2(pktlen, M_NOWAIT, MT_DATA, M_PKTHDR); if (__predict_false(m == NULL)) return; @@ -1523,7 +1528,7 @@ rsu_event_survey(struct rsu_softc *sc, uint8_t *buf, i IEEE80211_ADDR_COPY(wh->i_addr2, bss->macaddr); IEEE80211_ADDR_COPY(wh->i_addr3, bss->macaddr); *(uint16_t *)wh->i_seq = 0; - memcpy(&wh[1], (uint8_t *)&bss[1], le32toh(bss->ieslen)); + memcpy(&wh[1], (uint8_t *)&bss[1], ieslen); /* Finalize mbuf. */ m->m_pkthdr.len = m->m_len = pktlen; @@ -2621,6 +2626,8 @@ rsu_fw_loadsection(struct rsu_softc *sc, const uint8_t return (0); } +CTASSERT(sizeof(size_t) >= sizeof(uint32_t)); + static int rsu_load_firmware(struct rsu_softc *sc) { @@ -2628,7 +2635,7 @@ rsu_load_firmware(struct rsu_softc *sc) struct r92s_fw_priv *dmem; struct ieee80211com *ic = &sc->sc_ic; const uint8_t *imem, *emem; - int imemsz, ememsz; + uint32_t imemsz, ememsz; const struct firmware *fw; size_t size; uint32_t reg; @@ -2679,7 +2686,8 @@ rsu_load_firmware(struct rsu_softc *sc) imemsz = le32toh(hdr->imemsz); ememsz = le32toh(hdr->sramsz); /* Check that all FW sections fit in image. */ - if (size < sizeof(*hdr) + imemsz + ememsz) { + if (imemsz > (size_t)(size - sizeof(*hdr)) || + ememsz > (size_t)(size - sizeof(*hdr) - imemsz)) { device_printf(sc->sc_dev, "firmware too short\n"); error = EINVAL; goto fail;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201708030750.v737okWI098302>