mirror of
https://github.com/openwrt/openwrt.git
synced 2025-02-08 20:10:37 +00:00
f1de43d0a0
This mainly affects scanning and beacon parsing, especially with MBSSID enabled Fixes: CVE-2022-41674 Fixes: CVE-2022-42719 Fixes: CVE-2022-42720 Fixes: CVE-2022-42721 Fixes: CVE-2022-42722 Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 26f400210d6b3780fcc0deb89b9741837df9c8b8)
42 lines
1.3 KiB
Diff
42 lines
1.3 KiB
Diff
From: Johannes Berg <johannes.berg@intel.com>
|
|
Date: Wed, 28 Sep 2022 21:56:15 +0200
|
|
Subject: [PATCH] wifi: cfg80211: fix u8 overflow in
|
|
cfg80211_update_notlisted_nontrans()
|
|
|
|
commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream.
|
|
|
|
In the copy code of the elements, we do the following calculation
|
|
to reach the end of the MBSSID element:
|
|
|
|
/* copy the IEs after MBSSID */
|
|
cpy_len = mbssid[1] + 2;
|
|
|
|
This looks fine, however, cpy_len is a u8, the same as mbssid[1],
|
|
so the addition of two can overflow. In this case the subsequent
|
|
memcpy() will overflow the allocated buffer, since it copies 256
|
|
bytes too much due to the way the allocation and memcpy() sizes
|
|
are calculated.
|
|
|
|
Fix this by using size_t for the cpy_len variable.
|
|
|
|
This fixes CVE-2022-41674.
|
|
|
|
Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
|
|
Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
|
|
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
|
|
Reviewed-by: Kees Cook <keescook@chromium.org>
|
|
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
---
|
|
|
|
--- a/net/wireless/scan.c
|
|
+++ b/net/wireless/scan.c
|
|
@@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struc
|
|
size_t new_ie_len;
|
|
struct cfg80211_bss_ies *new_ies;
|
|
const struct cfg80211_bss_ies *old;
|
|
- u8 cpy_len;
|
|
+ size_t cpy_len;
|
|
|
|
lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
|
|
|