staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan

lgtux · ksacilotto · commit a1e24c33fb5c · 2021-04-14T18:32:00.000+02:00
BugLink: https://bugs.launchpad.net/bugs/1920246 commit 8687bf9 upstream. Function _rtl92e_wx_set_scan calls memcpy without checking the length. A user could control that length and trigger a buffer overflow. Fix by checking the length is within the maximum allowed size. Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Lee Gibson <leegib@gmail.com> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20210226145157.424065-1-leegib@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Kelsey Skunberg <kelsey.skunberg@canonical.com>
diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_wx.c b/drivers/staging/rtl8192e/rtl8192e/rtl_wx.c
@@ -406,9 +406,10 @@ static int _rtl92e_wx_set_scan(struct net_device *dev,
 		struct iw_scan_req *req = (struct iw_scan_req *)b;
 
 		if (req->essid_len) {
-			ieee->current_network.ssid_len = req->essid_len;
-			memcpy(ieee->current_network.ssid, req->essid,
-			       req->essid_len);
+			int len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE);
+
+			ieee->current_network.ssid_len = len;
+			memcpy(ieee->current_network.ssid, req->essid, len);
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -406,9 +406,10 @@ static int _rtl92e_wx_set_scan(struct net_device *dev,`
`406`	`406`	`struct iw_scan_req req = (struct iw_scan_req )b;`
`407`	`407`
`408`	`408`	`if (req->essid_len) {`
`409`		`- ieee->current_network.ssid_len = req->essid_len;`
`410`		`- memcpy(ieee->current_network.ssid, req->essid,`
`411`		`- req->essid_len);`
	`409`	`+ int len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE);`
	`410`	`+`
	`411`	`+ ieee->current_network.ssid_len = len;`
	`412`	`+ memcpy(ieee->current_network.ssid, req->essid, len);`
`412`	`413`	`}`
`413`	`414`	`}`
`414`	`415`