diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2022-10-13 11:59:16 +0200 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2022-10-13 11:59:56 +0200 |
| commit | e7ad651c31c5e1289323e6c680be6e582a593b26 (patch) | |
| tree | 7170b192203a8fafc16ccee7ce79d475d8df0272 /net/mac80211/util.c | |
| parent | wifi: ath11k: mac: fix reading 16 bytes from a region of size 0 warning (diff) | |
| parent | wifi: cfg80211: update hidden BSSes to avoid WARN_ON (diff) | |
| download | linux-e7ad651c31c5e1289323e6c680be6e582a593b26.tar.xz linux-e7ad651c31c5e1289323e6c680be6e582a593b26.zip | |
Merge branch 'cve-fixes-2022-10-13'
Pull in the fixes for various scan parsing bugs found by
Sönke Huster by fuzzing.
Diffstat (limited to 'net/mac80211/util.c')
| -rw-r--r-- | net/mac80211/util.c | 32 |
1 files changed, 17 insertions, 15 deletions
diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 1e929b82deef..b512cb37aafb 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1445,6 +1445,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { if (elem->datalen < 2) continue; + if (elem->data[0] < 1 || elem->data[0] > 8) + continue; for_each_element(sub, elem->data + 1, elem->datalen - 1) { u8 new_bssid[ETH_ALEN]; @@ -1504,24 +1506,26 @@ ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params) const struct element *non_inherit = NULL; u8 *nontransmitted_profile; int nontransmitted_profile_len = 0; + size_t scratch_len = params->len; - elems = kzalloc(sizeof(*elems), GFP_ATOMIC); + elems = kzalloc(sizeof(*elems) + scratch_len, GFP_ATOMIC); if (!elems) return NULL; elems->ie_start = params->start; elems->total_len = params->len; - - nontransmitted_profile = kmalloc(params->len, GFP_ATOMIC); - if (nontransmitted_profile) { - nontransmitted_profile_len = - ieee802_11_find_bssid_profile(params->start, params->len, - elems, params->bss, - nontransmitted_profile); - non_inherit = - cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, - nontransmitted_profile, - nontransmitted_profile_len); - } + elems->scratch_len = scratch_len; + elems->scratch_pos = elems->scratch; + + nontransmitted_profile = elems->scratch_pos; + nontransmitted_profile_len = + ieee802_11_find_bssid_profile(params->start, params->len, + elems, params->bss, + nontransmitted_profile); + elems->scratch_pos += nontransmitted_profile_len; + elems->scratch_len -= nontransmitted_profile_len; + non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, + nontransmitted_profile, + nontransmitted_profile_len); elems->crc = _ieee802_11_parse_elems_full(params, elems, non_inherit); @@ -1555,8 +1559,6 @@ ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params) offsetofend(struct ieee80211_bssid_index, dtim_count)) elems->dtim_count = elems->bssid_index->dtim_count; - kfree(nontransmitted_profile); - return elems; } |