]>
Commit | Line | Data |
---|---|---|
ee2e7db9 PM |
1 | From 0a861bd25dad508e492c48169509d8c6b9246895 Mon Sep 17 00:00:00 2001 |
2 | From: Johannes Berg <johannes.berg@intel.com> | |
3 | Date: Wed, 28 Sep 2022 22:01:37 +0200 | |
4 | Subject: [PATCH] wifi: cfg80211/mac80211: reject bad MBSSID elements | |
5 | ||
6 | commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream. | |
7 | ||
8 | Per spec, the maximum value for the MaxBSSID ('n') indicator is 8, | |
9 | and the minimum is 1 since a multiple BSSID set with just one BSSID | |
10 | doesn't make sense (the # of BSSIDs is limited by 2^n). | |
11 | ||
12 | Limit this in the parsing in both cfg80211 and mac80211, rejecting | |
13 | any elements with an invalid value. | |
14 | ||
15 | This fixes potentially bad shifts in the processing of these inside | |
16 | the cfg80211_gen_new_bssid() function later. | |
17 | ||
18 | I found this during the investigation of CVE-2022-41674 fixed by the | |
19 | previous patch. | |
20 | ||
21 | Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") | |
22 | Fixes: 78ac51f81532 ("mac80211: support multi-bssid") | |
23 | Reviewed-by: Kees Cook <keescook@chromium.org> | |
24 | Signed-off-by: Johannes Berg <johannes.berg@intel.com> | |
25 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
26 | --- | |
27 | net/mac80211/util.c | 2 ++ | |
28 | net/wireless/scan.c | 2 ++ | |
29 | 2 files changed, 4 insertions(+) | |
30 | ||
31 | diff --git a/net/mac80211/util.c b/net/mac80211/util.c | |
32 | index be1911d8089f..00543ea9c6b5 100644 | |
33 | --- a/net/mac80211/util.c | |
34 | +++ b/net/mac80211/util.c | |
35 | @@ -1414,6 +1414,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, | |
36 | for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { | |
37 | if (elem->datalen < 2) | |
38 | continue; | |
39 | + if (elem->data[0] < 1 || elem->data[0] > 8) | |
40 | + continue; | |
41 | ||
42 | for_each_element(sub, elem->data + 1, elem->datalen - 1) { | |
43 | u8 new_bssid[ETH_ALEN]; | |
44 | diff --git a/net/wireless/scan.c b/net/wireless/scan.c | |
45 | index d9ab37a798f4..84c642eae4d8 100644 | |
46 | --- a/net/wireless/scan.c | |
47 | +++ b/net/wireless/scan.c | |
48 | @@ -2103,6 +2103,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy, | |
49 | for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) { | |
50 | if (elem->datalen < 4) | |
51 | continue; | |
52 | + if (elem->data[0] < 1 || (int)elem->data[0] > 8) | |
53 | + continue; | |
54 | for_each_element(sub, elem->data + 1, elem->datalen - 1) { | |
55 | u8 profile_len; | |
56 | ||
57 | -- | |
58 | 2.30.2 | |
59 |