[lvc-project] Bug in commit 119585281617 wifi: mwifiex: Fix OOB and integer underflow when rx packets
Brian Norris
briannorris at chromium.org
Wed Aug 9 23:32:45 MSK 2023
On Wed, Aug 09, 2023 at 12:35:37PM +0300, Dmitry Antipov wrote:
> And I have some doubts on 119585281617 ("wifi: mwifiex: Fix OOB and integer
> underflow when rx packets"). Looking through 'mwifiex_uap_queue_bridged_pkt()'
> again, it seems that 'return' is missing:
>
> if (sizeof(*rx_pkt_hdr) +
> le16_to_cpu(uap_rx_pd->rx_pkt_offset) > skb->len) {
> mwifiex_dbg(adapter, ERROR,
> "wrong rx packet offset: len=%d,rx_pkt_offset=%d\n",
> skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset));
> priv->stats.rx_dropped++;
> dev_kfree_skb_any(skb);
> /* HERE */
> }
>
> if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header,
>
> because 'rx_pkt_hdr' points to 'skb->data' plus some offset (see above),
> so reading freed memory with 'memcmp()' causes an undefined behavior.
> And likewise for 'mwifiex_process_rx_packet()' (but not for
> 'mwifiex_process_uap_rx_packet()' where 'return 0' looks correct).
That's...completely unrelated to the post in question, so changing the
subject. But it's also an excellent (and terrible) catch.
Polars or Matthew, can you fix that up in a new patch ASAP?
CC Johannes, in case this patch is going places any time soon.
Brian
More information about the lvc-project
mailing list