wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()

[ Upstream commit 62b635dcd69c4fde7ce1de4992d71420a37e51e3 ]

If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would
lead to memory corruption so add some bounds checking.

Fixes: c38c70185101 ("wifi: cfg80211: Set SSID if it is not already set")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/0aaaae4a3ed37c6252363c34ae4904b1604e8e32.1756456951.git.dan.carpenter@linaro.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 26817160008766c5be426a913f548e006677d515..e0d3c713538b5a236331967805051e83e87e8cd7 100644 (file)
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -903,13 +903,16 @@ void __cfg80211_connect_result(struct net_device *dev,
        if (!wdev->u.client.ssid_len) {
                rcu_read_lock();
                for_each_valid_link(cr, link) {
+                       u32 ssid_len;
+
                        ssid = ieee80211_bss_get_elem(cr->links[link].bss,
                                                      WLAN_EID_SSID);
 
                        if (!ssid || !ssid->datalen)
                                continue;
 
-                       memcpy(wdev->u.client.ssid, ssid->data, ssid->datalen);
+                       ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN);
+                       memcpy(wdev->u.client.ssid, ssid->data, ssid_len);
                        wdev->u.client.ssid_len = ssid->datalen;
                        break;
                }