Message ID | 20221013175148.431764542@linuxfoundation.org |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp425138wrs; Thu, 13 Oct 2022 11:43:15 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4mxVr/jCIqYGqESC1A8sG/jS5s47FShaX7BnTbFkDG8J1STBuJ6yKxyREwvoXW2pvo3ftD X-Received: by 2002:a17:903:4ca:b0:179:d21f:f04b with SMTP id jm10-20020a17090304ca00b00179d21ff04bmr1259140plb.7.1665686595331; Thu, 13 Oct 2022 11:43:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665686595; cv=none; d=google.com; s=arc-20160816; b=O3HTEnsxgk7zM/IsAkfvikZJsj5RyOq3M9G/CrHz3cSxHH4RWiRHz9SX1g7UkVp+RR P6cCoIPeAjcWDBMYaVSpxUxYsdtslmh6DiQhJ+assE0GoV73xZomjQs0dBIm+z+xONr+ NmiaNhetJ4CO34urF8flQyLZL6hM/6I2hDMF7j/46yPzyukoXxFP9i0qf/JbXRS9bPyg ATRigBaW9fgfIhUV/FG7/IGL6c3bgMOc7/Xmu8x69A/cDOCY31VarQUIfqe2MmwX8yqm wrR5tlViKFAUUsSTQkrMh4JNQnQVHjXIKcmyKcFrf0ZlQKaitUIUcjJSvQArX/6/Ch5Y 4UNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=+sj+1pjDe2qwAtycRwj/aoNEuIQNSsbr+6RKm1o559g=; b=sfknY4nm3aNMYbRCZtLxCq3fdjzxUzui7hCscc5jbLK37MyyBiixmESrkWJ5oj0mK9 FWSrj14gAiUndODRQUQWQbEWo6xCcBk7B45TEaRt4K+uBM9sR7euX4RVN/llIT+M7mtb e4kRaf4RCuBSoghuxwvmzi8/+jLVwqGUM31QTy0dNcorguo8q6hbwCzENLKceParYEbs y/SoaDiYCS1QZnU0G8mBTk+grZiJZh3TF0NFs3uWYuoktqqce5yR7exvVF6oWgqvxomz bWE5wOm4LNCo4iGiIRn7l+r+BBnkLJaGyoPiqZp8ERA9GL69xGwxI1a3Qp8qTt/Cfrwr 4HOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="SB/AhnBp"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j63-20020a638042000000b0041b86985526si164695pgd.189.2022.10.13.11.43.02; Thu, 13 Oct 2022 11:43:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="SB/AhnBp"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229931AbiJMSYD (ORCPT <rfc822;ouuuleilei@gmail.com> + 99 others); Thu, 13 Oct 2022 14:24:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47600 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231386AbiJMSXF (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Thu, 13 Oct 2022 14:23:05 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 48EBF4C012; Thu, 13 Oct 2022 11:18:45 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 78B0A61913; Thu, 13 Oct 2022 17:56:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9A99DC433D6; Thu, 13 Oct 2022 17:56:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683812; bh=7ADSkhJgMzgbvEfxkGhKSmMII+dlmQ0WYUlz4phgh+4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SB/AhnBpl4/DZKrMWfNremN16h91J348QFJWGue3xGDqUTmUUPB6fffPhVlhoqt/h yS2U4Uro9v/gw8HJaJMIQRaze9F5q/P7PdWLgOV9ydcXJ4wKdfPl+a+Tma75fvuCrY rPHlpBn++pERgefEVpZuppYEWlucmytqZ8/jGJMI= From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Soenke Huster <shuster@seemoo.tu-darmstadt.de>, Johannes Berg <johannes.berg@intel.com> Subject: [PATCH 5.10 45/54] wifi: cfg80211: ensure length byte is present before access Date: Thu, 13 Oct 2022 19:52:39 +0200 Message-Id: <20221013175148.431764542@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175147.337501757@linuxfoundation.org> References: <20221013175147.337501757@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1746598987524734029?= X-GMAIL-MSGID: =?utf-8?q?1746598987524734029?= |
Series |
None
|
|
Commit Message
Greg KH
Oct. 13, 2022, 5:52 p.m. UTC
From: Johannes Berg <johannes.berg@intel.com> commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream. When iterating the elements here, ensure the length byte is present before checking it to see if the entire element will fit into the buffer. Longer term, we should rewrite this code using the type-safe element iteration macros that check all of this. Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- net/wireless/scan.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; - while (tmp_old + tmp_old[1] + 2 - ie <= ielen) { + while (tmp_old + 2 - ie <= ielen && + tmp_old + tmp_old[1] + 2 - ie <= ielen) { if (tmp_old[0] == 0) { tmp_old++; continue; @@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const * copied to new ie, skip ssid, capability, bssid-index ie */ tmp_new = sub_copy; - while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { + while (tmp_new + 2 - sub_copy <= subie_len && + tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || tmp_new[0] == WLAN_EID_SSID)) { memcpy(pos, tmp_new, tmp_new[1] + 2);