Message ID | 20221013175144.224834735@linuxfoundation.org |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp415113wrs; Thu, 13 Oct 2022 11:16:49 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6arNErSEU1gYskD/i0CFRGlLBCm4WLkzzi4jEwzC3lVQCW0gtMBykeN3KUXS1bmhEXvKM/ X-Received: by 2002:a17:902:d34d:b0:17f:9018:6 with SMTP id l13-20020a170902d34d00b0017f90180006mr1178092plk.112.1665685009334; Thu, 13 Oct 2022 11:16:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665685009; cv=none; d=google.com; s=arc-20160816; b=wNPQYarduUacJUtc8avueEyivwSgB/523PPMuoaR2er69A3jMDrEm3SSoWkhoBFtqH 5faqD7LBlnFzQJI4rpWtPl1i7t7+G6SR4g5B+28EeN4Pc4Z25wdqDfWd6rz1Rt9E9Hx1 sfzcVoWho1ShyfSt/VXMxBYO3gu3DHy8IF0ZF0QAZ741ObpghPsMYczKrgrvQ4CuMKo4 QpzqnGChC9t2itCOwUJD01LeN6HwvSGeHOtak4SnyAN93D6whtTR9JYo5RwdQgBqdLj+ 9MINE+SlIejb+/ogPRaZhkjxyPXC3B17o+D9V3ihxdwswYa/L8q0uQLKHeYan0Z6vfDA iU3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=+sj+1pjDe2qwAtycRwj/aoNEuIQNSsbr+6RKm1o559g=; b=p7QsaoUsgZPojcelaB8dc4V4HvjOeJX907juZam8xvRb3K9tSmePITYgruhIArbpCR LD3MkhduwgXvXKaoCkztWcVLb4bFuurFvh1gVB/0h7ErCGAh5D2oY2UQDthl6vXDL1ex NhfDU+R4gyW2MUn383wmpWKtzrmarGrZwik+id/2FV/wh4IaJgmdsUokGOICYKs6Bvke BUOExTRwuMIUwbSQM9X7ZSoncVZ2Wh9g4gDzoczEMjfdDWHMJl38fm+ubaD4bl7tAM4e 7Vsk58gRQRU5mlR+NNfHCOE6Tz7VdNp4s5m5Rs9OuVRtG+Kq7B3arZ1NyC7xTG2ajpKO GKAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=C0HkR4ks; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q8-20020a17090311c800b00179e66b5d2csi432221plh.398.2022.10.13.11.16.36; Thu, 13 Oct 2022 11:16:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=C0HkR4ks; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231439AbiJMSQO (ORCPT <rfc822;ouuuleilei@gmail.com> + 99 others); Thu, 13 Oct 2022 14:16:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231939AbiJMSNt (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Thu, 13 Oct 2022 14:13:49 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DBC271E3F5; Thu, 13 Oct 2022 11:09:53 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 11EF8B82037; Thu, 13 Oct 2022 17:57:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5DA49C433C1; Thu, 13 Oct 2022 17:57:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683866; bh=7ADSkhJgMzgbvEfxkGhKSmMII+dlmQ0WYUlz4phgh+4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=C0HkR4ksKlDOH4IuZYHQIwV+8Ot+KgCk49OMZs4AUmTGE469myq93agaylRPbnUDm T8VKq8wx1QSomvZeCan0mrN/NQsUeiW9c9cB7qtpN8Q7V85kjylDFLV95M+ZkvhSqn TJpJsmobZlEC7mpAGW3FzwHCpU/GeHL6faLtesPk= From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Soenke Huster <shuster@seemoo.tu-darmstadt.de>, Johannes Berg <johannes.berg@intel.com> Subject: [PATCH 5.15 18/27] wifi: cfg80211: ensure length byte is present before access Date: Thu, 13 Oct 2022 19:52:47 +0200 Message-Id: <20221013175144.224834735@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175143.518476113@linuxfoundation.org> References: <20221013175143.518476113@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1746597324348715279?= X-GMAIL-MSGID: =?utf-8?q?1746597324348715279?= |
Series |
None
|
|
Commit Message
Greg KH
Oct. 13, 2022, 5:52 p.m. UTC
From: Johannes Berg <johannes.berg@intel.com> commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream. When iterating the elements here, ensure the length byte is present before checking it to see if the entire element will fit into the buffer. Longer term, we should rewrite this code using the type-safe element iteration macros that check all of this. Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- net/wireless/scan.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; - while (tmp_old + tmp_old[1] + 2 - ie <= ielen) { + while (tmp_old + 2 - ie <= ielen && + tmp_old + tmp_old[1] + 2 - ie <= ielen) { if (tmp_old[0] == 0) { tmp_old++; continue; @@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const * copied to new ie, skip ssid, capability, bssid-index ie */ tmp_new = sub_copy; - while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { + while (tmp_new + 2 - sub_copy <= subie_len && + tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || tmp_new[0] == WLAN_EID_SSID)) { memcpy(pos, tmp_new, tmp_new[1] + 2);