wifi: cfg80211: ensure length byte is present before access

commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream.

When iterating the elements here, ensure the length byte is
present before checking it to see if the entire element will
fit into the buffer.

Longer term, we should rewrite this code using the type-safe
element iteration macros that check all of this.

Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index bce44485374d3444b00e3921bbae49cb27babfe9..fa7d94f505b0b9e6cc379fef5adc86e2228bf1b5 100644 (file)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
        tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen);
        tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie;
 
-       while (tmp_old + tmp_old[1] + 2 - ie <= ielen) {
+       while (tmp_old + 2 - ie <= ielen &&
+              tmp_old + tmp_old[1] + 2 - ie <= ielen) {
                if (tmp_old[0] == 0) {
                        tmp_old++;
                        continue;
@@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
         * copied to new ie, skip ssid, capability, bssid-index ie
         */
        tmp_new = sub_copy;
-       while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
+       while (tmp_new + 2 - sub_copy <= subie_len &&
+              tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
                if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
                      tmp_new[0] == WLAN_EID_SSID)) {
                        memcpy(pos, tmp_new, tmp_new[1] + 2);