1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
linux/drivers/net/wireless/intel/ipw2x00
Kees Cook d6b6d1bb80 ipw2x00: Avoid field-overflowing memcpy()
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring fields.

libipw_read_qos_param_element() copies a struct libipw_info_element
into a struct libipw_qos_information_element, but is actually wanting to
copy into the larger struct libipw_qos_parameter_info (the contents of
ac_params_record[] is later examined). Refactor the routine to perform
centralized checks, and copy the entire contents directly (since the id
and len members match the elementID and length members):

struct libipw_info_element {
        u8 id;
        u8 len;
        u8 data[];
} __packed;

struct libipw_qos_information_element {
        u8 elementID;
        u8 length;
        u8 qui[QOS_OUI_LEN];
        u8 qui_type;
        u8 qui_subtype;
        u8 version;
        u8 ac_info;
} __packed;

struct libipw_qos_parameter_info {
        struct libipw_qos_information_element info_element;
        u8 reserved;
        struct libipw_qos_ac_parameter ac_params_record[QOS_QUEUE_NUM];
} __packed;

Cc: Stanislav Yakovlev <stas.yakovlev@gmail.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210819202825.3545692-2-keescook@chromium.org
2021-08-21 20:15:35 +03:00
..
ipw.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
ipw2100.c ipw2x00: Minor documentation update 2021-06-03 12:33:55 +03:00
ipw2100.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 507 2019-06-19 17:11:23 +02:00
ipw2200.c ipw2x00: convert tasklets to use new tasklet_setup() API 2020-08-27 16:22:06 +03:00
ipw2200.h net: ipw2x00,iwlegacy,iwlwifi: Remove in_interrupt() from debug macros 2020-09-29 14:02:55 -07:00
Kconfig net: wireless: drop bogus CRYPTO_xxx Kconfig selects 2020-09-11 14:39:16 +10:00
libipw.h net: ipw2x00,iwlegacy,iwlwifi: Remove in_interrupt() from debug macros 2020-09-29 14:02:55 -07:00
libipw_geo.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 507 2019-06-19 17:11:23 +02:00
libipw_module.c proc: convert everything to "struct proc_ops" 2020-02-04 03:05:26 +00:00
libipw_rx.c ipw2x00: Avoid field-overflowing memcpy() 2021-08-21 20:15:35 +03:00
libipw_tx.c ipw2x00: Use struct_size helper instead of open-coded arithmetic 2021-08-21 20:15:15 +03:00
libipw_wx.c ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() 2021-04-17 20:35:44 +03:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00