summaryrefslogtreecommitdiffstats
path: root/net/wireless/scan.c
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2022-09-28 21:56:15 +0200
committerJohannes Berg <johannes.berg@intel.com>2022-10-10 09:49:52 +0200
commitaebe9f4639b13a1f4e9a6b42cdd2e38c617b442d (patch)
treed86f40e07b9997801cb4f1cd0d60eeda5db34221 /net/wireless/scan.c
parentaf7d23f9d96a3e9647cff8619a6860d73b109b5f (diff)
downloadlinux-aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d.tar.gz
linux-aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d.tar.bz2
linux-aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d.zip
wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()
In the copy code of the elements, we do the following calculation to reach the end of the MBSSID element: /* copy the IEs after MBSSID */ cpy_len = mbssid[1] + 2; This looks fine, however, cpy_len is a u8, the same as mbssid[1], so the addition of two can overflow. In this case the subsequent memcpy() will overflow the allocated buffer, since it copies 256 bytes too much due to the way the allocation and memcpy() sizes are calculated. Fix this by using size_t for the cpy_len variable. This fixes CVE-2022-41674. Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless/scan.c')
-rw-r--r--net/wireless/scan.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 5382fc2003db..62f8c10412ad 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2279,7 +2279,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
size_t new_ie_len;
struct cfg80211_bss_ies *new_ies;
const struct cfg80211_bss_ies *old;
- u8 cpy_len;
+ size_t cpy_len;
lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);