summaryrefslogtreecommitdiffstats
path: root/net/wireless/scan.c
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2022-09-28 22:01:37 +0200
committerJohannes Berg <johannes.berg@intel.com>2022-10-10 09:50:15 +0200
commit8f033d2becc24aa6bfd2a5c104407963560caabc (patch)
tree7a7675b9ccfa249d4798238cdbe7505973213b32 /net/wireless/scan.c
parentaebe9f4639b13a1f4e9a6b42cdd2e38c617b442d (diff)
downloadlinux-8f033d2becc24aa6bfd2a5c104407963560caabc.tar.gz
linux-8f033d2becc24aa6bfd2a5c104407963560caabc.tar.bz2
linux-8f033d2becc24aa6bfd2a5c104407963560caabc.zip
wifi: cfg80211/mac80211: reject bad MBSSID elements
Per spec, the maximum value for the MaxBSSID ('n') indicator is 8, and the minimum is 1 since a multiple BSSID set with just one BSSID doesn't make sense (the # of BSSIDs is limited by 2^n). Limit this in the parsing in both cfg80211 and mac80211, rejecting any elements with an invalid value. This fixes potentially bad shifts in the processing of these inside the cfg80211_gen_new_bssid() function later. I found this during the investigation of CVE-2022-41674 fixed by the previous patch. Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Fixes: 78ac51f81532 ("mac80211: support multi-bssid") Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless/scan.c')
-rw-r--r--net/wireless/scan.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 62f8c10412ad..5dab33e1f3a8 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2143,6 +2143,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy,
for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) {
if (elem->datalen < 4)
continue;
+ if (elem->data[0] < 1 || (int)elem->data[0] > 8)
+ continue;
for_each_element(sub, elem->data + 1, elem->datalen - 1) {
u8 profile_len;