]>
Commit | Line | Data |
---|---|---|
ee2e7db9 PM |
1 | From 9a8ef2030510a9d6ce86fd535b8d10720230811f Mon Sep 17 00:00:00 2001 |
2 | From: Johannes Berg <johannes.berg@intel.com> | |
3 | Date: Wed, 28 Sep 2022 21:56:15 +0200 | |
4 | Subject: [PATCH] wifi: cfg80211: fix u8 overflow in | |
5 | cfg80211_update_notlisted_nontrans() | |
6 | ||
7 | commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream. | |
8 | ||
9 | In the copy code of the elements, we do the following calculation | |
10 | to reach the end of the MBSSID element: | |
11 | ||
12 | /* copy the IEs after MBSSID */ | |
13 | cpy_len = mbssid[1] + 2; | |
14 | ||
15 | This looks fine, however, cpy_len is a u8, the same as mbssid[1], | |
16 | so the addition of two can overflow. In this case the subsequent | |
17 | memcpy() will overflow the allocated buffer, since it copies 256 | |
18 | bytes too much due to the way the allocation and memcpy() sizes | |
19 | are calculated. | |
20 | ||
21 | Fix this by using size_t for the cpy_len variable. | |
22 | ||
23 | This fixes CVE-2022-41674. | |
24 | ||
25 | Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> | |
26 | Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> | |
27 | Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") | |
28 | Reviewed-by: Kees Cook <keescook@chromium.org> | |
29 | Signed-off-by: Johannes Berg <johannes.berg@intel.com> | |
30 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
31 | --- | |
32 | net/wireless/scan.c | 2 +- | |
33 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
34 | ||
35 | diff --git a/net/wireless/scan.c b/net/wireless/scan.c | |
36 | index 1a8b76c9dd56..d9ab37a798f4 100644 | |
37 | --- a/net/wireless/scan.c | |
38 | +++ b/net/wireless/scan.c | |
39 | @@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, | |
40 | size_t new_ie_len; | |
41 | struct cfg80211_bss_ies *new_ies; | |
42 | const struct cfg80211_bss_ies *old; | |
43 | - u8 cpy_len; | |
44 | + size_t cpy_len; | |
45 | ||
46 | lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock); | |
47 | ||
48 | -- | |
49 | 2.30.2 | |
50 |