iw: scan: fix buffer over-read in print_ies()

This patch correctly checks, if enough data bytes for parsing IEs are
present (-2 in check for type and length). Furthermore, it adds a
nullptr and length check to ease future fuzzing.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Link: https://lore.kernel.org/r/20200209165902.44110-3-markus.theil@tu-ilmenau.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/scan.c b/scan.c
index 94def00b9e486dd45d397f2225b630d7294e47f7..49db7f1c0209ed26db1073db07c82914192cb04d 100644 (file)
--- a/scan.c
+++ b/scan.c
@@ -2190,7 +2190,10 @@ void print_ies(unsigned char *ie, int ielen, bool unknown,
                .ie = ie,
                .ielen = ielen };
 
-       while (ielen >= 2 && ielen >= ie[1]) {
+       if (ie == NULL || ielen < 0)
+               return;
+
+       while (ielen >= 2 && ielen - 2 >= ie[1]) {
                if (ie[0] < ARRAY_SIZE(ieprinters) &&
                    ieprinters[ie[0]].name &&
                    ieprinters[ie[0]].flags & BIT(ptype)) {