From patchwork Fri Dec 26 11:02:32 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Avinash Patil <patila@marvell.com>
X-Patchwork-Id: 5542811
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
X-Original-To: patchwork-linux-wireless@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 80A45BEEA8
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri, 26 Dec 2014 11:04:19 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 9A29A20154
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri, 26 Dec 2014 11:04:18 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 6305F20166
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri, 26 Dec 2014 11:04:17 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751729AbaLZLEM (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Fri, 26 Dec 2014 06:04:12 -0500
Received: from mx0b-0016f401.pphosted.com ([67.231.156.173]:20378 "EHLO
	mx0b-0016f401.pphosted.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1751726AbaLZLEJ (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Fri, 26 Dec 2014 06:04:09 -0500
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1])
	by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id
	sBQB0AoD024963
	for <linux-wireless@vger.kernel.org>; Fri, 26 Dec 2014 03:04:08 -0800
Received: from sc-owa.marvell.com ([199.233.58.135])
	by mx0b-0016f401.pphosted.com with ESMTP id 1rfdgcppvq-8
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT)
	for <linux-wireless@vger.kernel.org>; Fri, 26 Dec 2014 03:04:08 -0800
Received: from maili.marvell.com (10.93.76.43) by SC-OWA.marvell.com
	(10.93.76.28) with Microsoft SMTP Server id 8.3.327.1;
	Fri, 26 Dec 2014 03:03:49 -0800
Received: from pe-lt101 (unknown [10.31.130.182])	by maili.marvell.com
	(Postfix) with ESMTP id D921F3F703F;
	Fri, 26 Dec 2014 03:03:49 -0800 (PST)
Received: from pe-lt101 (pe-lt077 [127.0.0.1])	by pe-lt101 (8.14.4/8.14.4)
	with ESMTP id sBQB2eEu004129;	Fri, 26 Dec 2014 03:02:41 -0800
Received: (from root@localhost)	by pe-lt101 (8.14.4/8.14.4/Submit) id
	sBQB2eVY004119;	Fri, 26 Dec 2014 03:02:40 -0800
From: Avinash Patil <patila@marvell.com>
To: <linux-wireless@vger.kernel.org>
CC: <akarwar@marvell.com>, <cluo@marvell.com>, Xinming Hu <huxm@marvell.com>,
	Avinash Patil <patila@marvell.com>
Subject: [PATCH v3 2/4] mwifiex: do not send key material cmd when delete
	wep key
Date: Fri, 26 Dec 2014 03:02:32 -0800
Message-ID: <1419591754-4086-2-git-send-email-patila@marvell.com>
X-Mailer: git-send-email 1.7.3.4
In-Reply-To: <1419591754-4086-1-git-send-email-patila@marvell.com>
References: <1419591754-4086-1-git-send-email-patila@marvell.com>
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33,
	0.0.0000
	definitions=2014-12-25_06:2014-12-24, 2014-12-25,
	1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
	spamscore=0 suspectscore=1
	phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0
	reason=mlx
	scancount=1 engine=7.0.1-1402240000 definitions=main-1412260118
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Xinming Hu <huxm@marvell.com>

This patch fixes memory corruption reported by community developer.

"Memory corruption occurs in mwifiex_ret_802_11_key_material_v1()
when a short command response is received without a key length
causing non initialised memory to be interpreted as the key
length resulting in a memcpy() overwriting the part of the
driver's private data structure beyond the key area."

For v1 key material API firmwares, there is no need to send
command to delete WEP key. WEP encryption/decryption is controlled
by mac_control command.

This patch avoids sending key material command in del_key case.

Reported-by: Martin Fuzzey <mfuzzey@parkeon.com>
Signed-off-by: Xinming Hu <huxm@marvell.com>
Signed-off-by: Cathy Luo <cluo@marvell.com>
Signed-off-by: Avinash Patil <patila@marvell.com>
---
 drivers/net/wireless/mwifiex/sta_ioctl.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c
index 1626868..fb9c5fc 100644
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -902,9 +902,12 @@ static int mwifiex_sec_ioctl_set_wep_key(struct mwifiex_private *priv,
 	if (wep_key->key_length) {
 		void *enc_key;
 
-		if (encrypt_key->key_disable)
+		if (encrypt_key->key_disable) {
 			memset(&priv->wep_key[index], 0,
 			       sizeof(struct mwifiex_wep_key));
+			if (wep_key->key_length)
+				goto done;
+			}
 
 		if (adapter->key_api_major_ver == KEY_API_VER_MAJOR_V2)
 			enc_key = encrypt_key;
@@ -918,6 +921,7 @@ static int mwifiex_sec_ioctl_set_wep_key(struct mwifiex_private *priv,
 			return ret;
 	}
 
+done:
 	if (priv->sec_info.wep_enabled)
 		priv->curr_pkt_filter |= HostCmd_ACT_MAC_WEP_ENABLE;
 	else