1 From e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d Mon Sep 17 00:00:00 2001
2 From: Dan Carpenter <dan.carpenter@oracle.com>
3 Date: Wed, 24 Apr 2019 12:52:18 +0300
4 Subject: [PATCH] brcm80211: potential NULL dereference in
5 brcmf_cfg80211_vndr_cmds_dcmd_handler()
7 If "ret_len" is negative then it could lead to a NULL dereference.
9 The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
10 then we don't allocate the "dcmd_buf" buffer. Then we pass "ret_len" to
11 brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
12 Most of the functions in that call tree check whether the buffer we pass
13 is NULL but there are at least a couple places which don't such as
14 brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd(). We memcpy() to and
15 from the buffer so it would result in a NULL dereference.
17 The fix is to change the types so that "ret_len" can't be negative. (If
18 we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
21 Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command")
22 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
23 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
25 drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c | 5 +++--
26 1 file changed, 3 insertions(+), 2 deletions(-)
28 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
29 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
30 @@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd
32 const struct brcmf_vndr_dcmd_hdr *cmdhdr = data;
33 struct sk_buff *reply;
34 - int ret, payload, ret_len;
35 + unsigned int payload, ret_len;
36 void *dcmd_buf = NULL, *wr_pointer;
37 u16 msglen, maxmsglen = PAGE_SIZE - 0x100;
40 if (len < sizeof(*cmdhdr)) {
41 brcmf_err("vendor command too short: %d\n", len);
42 @@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd
43 brcmf_err("oversize return buffer %d\n", ret_len);
44 ret_len = BRCMF_DCMD_MAXLEN;
46 - payload = max(ret_len, len) + 1;
47 + payload = max_t(unsigned int, ret_len, len) + 1;
48 dcmd_buf = vzalloc(payload);