mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-20 11:39:02 +00:00
26f400210d
This mainly affects scanning and beacon parsing, especially with MBSSID enabled Fixes: CVE-2022-41674 Fixes: CVE-2022-42719 Fixes: CVE-2022-42720 Fixes: CVE-2022-42721 Fixes: CVE-2022-42722 Signed-off-by: Felix Fietkau <nbd@nbd.name>
42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
From: Johannes Berg <johannes.berg@intel.com>
|
|
Date: Thu, 29 Sep 2022 21:50:44 +0200
|
|
Subject: [PATCH] wifi: cfg80211: ensure length byte is present before
|
|
access
|
|
|
|
commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream.
|
|
|
|
When iterating the elements here, ensure the length byte is
|
|
present before checking it to see if the entire element will
|
|
fit into the buffer.
|
|
|
|
Longer term, we should rewrite this code using the type-safe
|
|
element iteration macros that check all of this.
|
|
|
|
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
|
|
Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
|
|
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
---
|
|
|
|
--- a/net/wireless/scan.c
|
|
+++ b/net/wireless/scan.c
|
|
@@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const
|
|
tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen);
|
|
tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie;
|
|
|
|
- while (tmp_old + tmp_old[1] + 2 - ie <= ielen) {
|
|
+ while (tmp_old + 2 - ie <= ielen &&
|
|
+ tmp_old + tmp_old[1] + 2 - ie <= ielen) {
|
|
if (tmp_old[0] == 0) {
|
|
tmp_old++;
|
|
continue;
|
|
@@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const
|
|
* copied to new ie, skip ssid, capability, bssid-index ie
|
|
*/
|
|
tmp_new = sub_copy;
|
|
- while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
|
|
+ while (tmp_new + 2 - sub_copy <= subie_len &&
|
|
+ tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
|
|
if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
|
|
tmp_new[0] == WLAN_EID_SSID)) {
|
|
memcpy(pos, tmp_new, tmp_new[1] + 2);
|