da94840dac7b1ae7d22654c3ab7022a2a28d87f9
[openwrt/staging/hauke.git] /
1 From: Johannes Berg <johannes.berg@intel.com>
2 Date: Thu, 29 Sep 2022 21:50:44 +0200
3 Subject: [PATCH] wifi: cfg80211: ensure length byte is present before
4 access
5
6 commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream.
7
8 When iterating the elements here, ensure the length byte is
9 present before checking it to see if the entire element will
10 fit into the buffer.
11
12 Longer term, we should rewrite this code using the type-safe
13 element iteration macros that check all of this.
14
15 Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
16 Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
17 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
18 ---
19
20 --- a/net/wireless/scan.c
21 +++ b/net/wireless/scan.c
22 @@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const
23 tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen);
24 tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie;
25
26 - while (tmp_old + tmp_old[1] + 2 - ie <= ielen) {
27 + while (tmp_old + 2 - ie <= ielen &&
28 + tmp_old + tmp_old[1] + 2 - ie <= ielen) {
29 if (tmp_old[0] == 0) {
30 tmp_old++;
31 continue;
32 @@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const
33 * copied to new ie, skip ssid, capability, bssid-index ie
34 */
35 tmp_new = sub_copy;
36 - while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
37 + while (tmp_new + 2 - sub_copy <= subie_len &&
38 + tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
39 if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
40 tmp_new[0] == WLAN_EID_SSID)) {
41 memcpy(pos, tmp_new, tmp_new[1] + 2);