staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback

Qiujun Huang · gregkh · commit 1165dd73e811 · 2020-03-26T15:47:26.000+01:00
We can't handle the case length > WLAN_DATA_MAXLEN. Because the size of rxfrm->data is WLAN_DATA_MAXLEN(2312), and we can't read more than that. Thanks-to: Hillf Danton <hdanton@sina.com> Reported-and-tested-by: syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com Signed-off-by: Qiujun Huang <hqjagain@gmail.com> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20200326131850.17711-1-hqjagain@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
@@ -3376,6 +3376,8 @@ static void hfa384x_int_rxmonitor(struct wlandevice *wlandev,
 	     WLAN_HDR_A4_LEN + WLAN_DATA_MAXLEN + WLAN_CRC_LEN)) {
 		pr_debug("overlen frm: len=%zd\n",
 			 skblen - sizeof(struct p80211_caphdr));
+
+		return;
 	}
 
 	skb = dev_alloc_skb(skblen);

Original file line number	Diff line number	Diff line change
`@@ -3376,6 +3376,8 @@ static void hfa384x_int_rxmonitor(struct wlandevice *wlandev,`
`3376`	`3376`	`WLAN_HDR_A4_LEN + WLAN_DATA_MAXLEN + WLAN_CRC_LEN)) {`
`3377`	`3377`	`pr_debug("overlen frm: len=%zd\n",`
`3378`	`3378`	`skblen - sizeof(struct p80211_caphdr));`
	`3379`	`+`
	`3380`	`+ return;`
`3379`	`3381`	`}`
`3380`	`3382`
`3381`	`3383`	`skb = dev_alloc_skb(skblen);`