From patchwork Thu Oct 13 17:52:55 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 2239
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp412952wrs;
        Thu, 13 Oct 2022 11:12:00 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM4AenBK9uX/xCjV+HQUpeHX5/Ne2j0IbOaHeJnXOt7eHv5aNMuUe8Hdn9ENFlVbYOj34noV
X-Received: by 2002:a17:902:f355:b0:180:bdc5:4cf4 with SMTP id
 q21-20020a170902f35500b00180bdc54cf4mr916801ple.15.1665684720607;
        Thu, 13 Oct 2022 11:12:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1665684720; cv=none;
        d=google.com; s=arc-20160816;
        b=rMWqPynUncJnGzKdkwfRBZdXJQjyr+DFT2MBwhUp/JOA5/VVwpUPFwlLRtqh5mgi8G
         DzF1mM+0yAYwm5Cy98FIv7XyrEw3ajy/i7GZ6qD2fQ/Mfm2eJW0RyXwzB1sKU7OhxTQD
         sGWTaRw4kf2c0cZKrqInVjcjMisr00TM7jyLjTnjv3Hzi+eg3/MUdegCPKtH3ZCfuA9s
         TqKMP3DIvCdYWEC9ow/gPsJWeeO/abEZPKADS+YJee+ZeHktD1RHSIousMShi9oJyfii
         hy51tqk/CCKI0wJklcHFw6MZbR/wga1ofG3U8+ErpCv+Jmr7ux0DgX9WfJ7RsR2eenk+
         GwNg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=+sj+1pjDe2qwAtycRwj/aoNEuIQNSsbr+6RKm1o559g=;
        b=s5IkUJSo7r0m9MmkwTbev8noMAGBCCbVbEaQEKK1QJHZO3n6dDIhAaKNB2H1chdFbS
         ZBkDV5V8u9F5IslZ/+oZs7r5Gpsf5dq2zYN56DICguqmrbEEDp0klYHPvv3hd0u/J+QD
         eUsbWUqQv3S7G+E9UdoCDJZHVW6wdI6RACZTRcCJQJHYhgo0sV1qGrf8MEbnv8rgBUSQ
         jcbY9uZIPIq3arxjcBP8dJyyIShGxs/7DENBswP8UybHHcwRv2YtUuT/rrVE2barW9NA
         mMFmAzdOyD5XM8HT7W1LdHEsv46c+QVnTbsNpIYprdzjDpdJdzF75lea0slBkuQYwc2m
         zrZg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=nBO1QCCB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 h2-20020a056a00170200b0053e5ac66c3csi95299pfc.38.2022.10.13.11.11.47;
        Thu, 13 Oct 2022 11:12:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=nBO1QCCB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231350AbiJMSLc (ORCPT <rfc822;ouuuleilei@gmail.com> + 99 others);
        Thu, 13 Oct 2022 14:11:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34878 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231536AbiJMSKf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Oct 2022 14:10:35 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org
 [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD132402CE;
        Thu, 13 Oct 2022 11:07:54 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 3F52EB8206B;
        Thu, 13 Oct 2022 18:00:39 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A0606C433C1;
        Thu, 13 Oct 2022 18:00:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1665684038;
        bh=7ADSkhJgMzgbvEfxkGhKSmMII+dlmQ0WYUlz4phgh+4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=nBO1QCCBOucbVd6BnykPgv/bfpu+AC4kkyWTVhKMg7FfsbpVBRL8ohwAGyuqX2ef1
         PT5ixYImrOUf1qLGkbSjR2NSB845BadCz5O28yDRHk75Co1ErNpnN4ibhmAMyjs9ty
         TAm7d0NFaorhP8lib0vhwwOCDXE5JAorfAwTbows=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Soenke Huster <shuster@seemoo.tu-darmstadt.de>,
        Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 5.19 23/33] wifi: cfg80211: ensure length byte is present
 before access
Date: Thu, 13 Oct 2022 19:52:55 +0200
Message-Id: <20221013175146.048460185@linuxfoundation.org>
X-Mailer: git-send-email 2.38.0
In-Reply-To: <20221013175145.236739253@linuxfoundation.org>
References: <20221013175145.236739253@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1746597021181042070?=
X-GMAIL-MSGID: =?utf-8?q?1746597021181042070?=

From: Johannes Berg <johannes.berg@intel.com>

commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream.

When iterating the elements here, ensure the length byte is
present before checking it to see if the entire element will
fit into the buffer.

Longer term, we should rewrite this code using the type-safe
element iteration macros that check all of this.

Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/wireless/scan.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const
 	tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen);
 	tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie;
 
-	while (tmp_old + tmp_old[1] + 2 - ie <= ielen) {
+	while (tmp_old + 2 - ie <= ielen &&
+	       tmp_old + tmp_old[1] + 2 - ie <= ielen) {
 		if (tmp_old[0] == 0) {
 			tmp_old++;
 			continue;
@@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const
 	 * copied to new ie, skip ssid, capability, bssid-index ie
 	 */
 	tmp_new = sub_copy;
-	while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
+	while (tmp_new + 2 - sub_copy <= subie_len &&
+	       tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
 		if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
 		      tmp_new[0] == WLAN_EID_SSID)) {
 			memcpy(pos, tmp_new, tmp_new[1] + 2);