From patchwork Thu Oct 13 17:53:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 2261 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp414584wrs; Thu, 13 Oct 2022 11:15:45 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6QQrz8SVYzS8vtugikXd7aTqENh/BKUr4yyrq9VSYa0Ae2dulos5z2GMQ4ze9DxB8jP3K5 X-Received: by 2002:a05:6a02:202:b0:42b:d711:f27c with SMTP id bh2-20020a056a02020200b0042bd711f27cmr1017036pgb.246.1665684944836; Thu, 13 Oct 2022 11:15:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665684944; cv=none; d=google.com; s=arc-20160816; b=PpFP1TnThtYta+DrBbPhT4lLr63LxwrG3PstEGIDtbdkdxvmVqvYifn2rm0X//M8Sy rpECuZb76wIMqqaGf747PE7lmV5vI3p9W6GcSYInuBJcU78AYv2V7Z3UYh+RdnXZpO9v KpNSkFyNqJnT24OgnrVE8ZxbJqNODBpHawH2le1C0GE9vkDCFuG4Ck5Af4Qzp0DrEsnf jthy2P+41SCVJAOlXpppSe5y2a8dfm9qShXLJlefctQgs7lMAmLm47Ta1lzIRupeEOa4 ltrgSZcCo99DcZjG3PP2wtrco9JWXm1epR+iq95ZdYcf5U7nMqml77QsFvlKImcQnJsH Pr7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=+sj+1pjDe2qwAtycRwj/aoNEuIQNSsbr+6RKm1o559g=; b=PwHAZgfeLXs7Vvk/1mYTkGdnyGQ/HjSXxpWK8iZE7/41v9yMLUDmO4h/27NCc3Y0HC ArJ0szsuovkkZVHNI/zH+Ut4k8mYfWPRqVWWtyV+qMNe2AxhRxqF9J6Ya2EUTwCDDFu2 RDWv0EEtjqml9N+23fSd3Hu6VS/QwUnzdIS1kMW5ITejp+YjsGQ6CRk2kPxAEjSmA/DH PA8vo1stRlmdkc1SZIUXDmdPyMe/W3UxGcWzdDV+XmtWElRuVsUDBUGpypH5oZXJGcmi ayKHAgtTkcFoovtNAamCuR/HCvDtv7kYmn+Lhj467ZdczovnWZmnL4qomVW1l2zxid49 ZALg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="Zg/0A5eQ"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k29-20020a635a5d000000b004597ddac21csi119444pgm.80.2022.10.13.11.15.27; Thu, 13 Oct 2022 11:15:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="Zg/0A5eQ"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231352AbiJMSPH (ORCPT + 99 others); Thu, 13 Oct 2022 14:15:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38916 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231319AbiJMSL4 (ORCPT ); Thu, 13 Oct 2022 14:11:56 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CDB1215625A; Thu, 13 Oct 2022 11:08:45 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 07606B8208B; Thu, 13 Oct 2022 18:01:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 68EA4C433C1; Thu, 13 Oct 2022 18:01:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665684098; bh=7ADSkhJgMzgbvEfxkGhKSmMII+dlmQ0WYUlz4phgh+4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Zg/0A5eQm5s2wmpJv7V7MapZZbEZxrWWwqZotrz1s+xUlwUcrLeVcXVr2Sqw+5l25 nGbtvcMTiiKAyjrq2gr4kHbPh2ywKtRDfQPNFwVLzKMChyWuITx93xtVAgYl7hsLZw x8osLPwJ0SGtrd+GluwGMuiwDwnImGCqpVePPctU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Soenke Huster , Johannes Berg Subject: [PATCH 6.0 24/34] wifi: cfg80211: ensure length byte is present before access Date: Thu, 13 Oct 2022 19:53:02 +0200 Message-Id: <20221013175147.143750056@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175146.507746257@linuxfoundation.org> References: <20221013175146.507746257@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1746597256578098001?= X-GMAIL-MSGID: =?utf-8?q?1746597256578098001?= From: Johannes Berg commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream. When iterating the elements here, ensure the length byte is present before checking it to see if the entire element will fit into the buffer. Longer term, we should rewrite this code using the type-safe element iteration macros that check all of this. Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reported-by: Soenke Huster Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/scan.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; - while (tmp_old + tmp_old[1] + 2 - ie <= ielen) { + while (tmp_old + 2 - ie <= ielen && + tmp_old + tmp_old[1] + 2 - ie <= ielen) { if (tmp_old[0] == 0) { tmp_old++; continue; @@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const * copied to new ie, skip ssid, capability, bssid-index ie */ tmp_new = sub_copy; - while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { + while (tmp_new + 2 - sub_copy <= subie_len && + tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || tmp_new[0] == WLAN_EID_SSID)) { memcpy(pos, tmp_new, tmp_new[1] + 2);