+++ /dev/null
-From 9e99ca59ed3976921f8891c103d503b6da3e78af Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Thu, 29 Sep 2022 21:50:44 +0200
-Subject: [PATCH] wifi: cfg80211: ensure length byte is present before access
-
-commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream.
-
-When iterating the elements here, ensure the length byte is
-present before checking it to see if the entire element will
-fit into the buffer.
-
-Longer term, we should rewrite this code using the type-safe
-element iteration macros that check all of this.
-
-Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
-Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/wireless/scan.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/net/wireless/scan.c b/net/wireless/scan.c
-index 84c642eae4d8..04c9b78b3fec 100644
---- a/net/wireless/scan.c
-+++ b/net/wireless/scan.c
-@@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
- tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen);
- tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie;
-
-- while (tmp_old + tmp_old[1] + 2 - ie <= ielen) {
-+ while (tmp_old + 2 - ie <= ielen &&
-+ tmp_old + tmp_old[1] + 2 - ie <= ielen) {
- if (tmp_old[0] == 0) {
- tmp_old++;
- continue;
-@@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
- * copied to new ie, skip ssid, capability, bssid-index ie
- */
- tmp_new = sub_copy;
-- while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
-+ while (tmp_new + 2 - sub_copy <= subie_len &&
-+ tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
- if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
- tmp_new[0] == WLAN_EID_SSID)) {
- memcpy(pos, tmp_new, tmp_new[1] + 2);
---
-2.30.2
-
projects / people / pmueller / ipfire-2.x.git / blobdiff