From: Roy Marples <roy@marples.name>
Date: Sat, 20 Jun 2026 11:16:51 +0000 (+0100)
Subject: linux: Ensure NLA data boundaries are valid
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;ds=sidebyside;p=thirdparty%2Fdhcpcd.git

linux: Ensure NLA data boundaries are valid

Reported by NVIDIA Project Vanessa
---

diff --git a/src/if-linux.c b/src/if-linux.c
index 0359d1b2..41893815 100644
--- a/src/if-linux.c
+++ b/src/if-linux.c
@@ -1517,7 +1517,7 @@ _if_getssid_nl80211(__unused struct dhcpcd_ctx *ctx, void *arg,
 	ie = NLA_DATA(bss[NL80211_BSS_INFORMATION_ELEMENTS]);
 	ie_len = (int)NLA_LEN(bss[NL80211_BSS_INFORMATION_ELEMENTS]);
 	/* ie[0] is type, ie[1] is lenth, ie[2..] is data */
-	while (ie_len >= 2 && ie_len >= ie[1]) {
+	while (ie_len >= 2 && ie_len >= ie[1] + 2) {
 		if (ie[0] == 0) {
 			/* SSID */
 			if (ie[1] > IF_SSIDLEN) {
@@ -1525,7 +1525,8 @@ _if_getssid_nl80211(__unused struct dhcpcd_ctx *ctx, void *arg,
 				return -1;
 			}
 			ifp->ssid_len = ie[1];
-			memcpy(ifp->ssid, ie + 2, ifp->ssid_len);
+			if (ifp->ssid_len != 0)
+				memcpy(ifp->ssid, ie + 2, ifp->ssid_len);
 			return (int)ifp->ssid_len;
 		}
 		ie_len -= ie[1] + 2;