git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Johannes Berg <johannes.berg@intel.com>
	Wed, 28 Sep 2022 19:56:15 +0000 (21:56 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 15 Oct 2022 06:02:57 +0000 (08:02 +0200)
commit	fc1ed6d0c9898a68da7f1f7843560dfda57683e2
tree	b3e99e7c957d6d361e479cab5a95c5405a2b0912	tree \| snapshot
parent	a232bc42e1b746fef4a821459dc44643f16bad51	commit \| diff

wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()

commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream.

In the copy code of the elements, we do the following calculation
to reach the end of the MBSSID element:

/* copy the IEs after MBSSID */
cpy_len = mbssid[1] + 2;

This looks fine, however, cpy_len is a u8, the same as mbssid[1],
so the addition of two can overflow. In this case the subsequent
memcpy() will overflow the allocated buffer, since it copies 256
bytes too much due to the way the allocation and memcpy() sizes
are calculated.

Fix this by using size_t for the cpy_len variable.

This fixes CVE-2022-41674.

Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>