diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2022-11-25 12:36:57 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-12-08 11:28:40 +0100 |
| commit | 88a6fe3707888bd1893e9741157a7035c4159ab6 (patch) | |
| tree | ea4e9057c9ff42ee09d187f8730dd386a99430c8 /net/wireless | |
| parent | 08fff7aaeb7e1408d363093280a5888e2f947b3e (diff) | |
| download | linux-stable-88a6fe3707888bd1893e9741157a7035c4159ab6.tar.gz linux-stable-88a6fe3707888bd1893e9741157a7035c4159ab6.tar.bz2 linux-stable-88a6fe3707888bd1893e9741157a7035c4159ab6.zip | |
wifi: cfg80211: fix buffer overflow in elem comparison
[ Upstream commit 9f16b5c82a025cd4c864737409234ddc44fb166a ]
For vendor elements, the code here assumes that 5 octets
are present without checking. Since the element itself is
already checked to fit, we only need to check the length.
Reported-and-tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net/wireless')
| -rw-r--r-- | net/wireless/scan.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 2477d28c2dab..937ec4c2a3bf 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -330,7 +330,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, * determine if they are the same ie. */ if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) { - if (!memcmp(tmp_old + 2, tmp + 2, 5)) { + if (tmp_old[1] >= 5 && tmp[1] >= 5 && + !memcmp(tmp_old + 2, tmp + 2, 5)) { /* same vendor ie, copy from * subelement */ |