git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	John Walker <johnwalker0@gmail.com>
	Thu, 7 May 2026 23:07:20 +0000 (17:07 -0600)
committer	Johannes Berg <johannes.berg@intel.com>
	Fri, 8 May 2026 07:20:03 +0000 (09:20 +0200)
commit	7666dbb1bacc4ba522b96740cba7283d243d16e1
tree	b343057c7bbac6433e41da74f2121d42f49dd961	tree \| snapshot
parent	fcee7d82f27d6a8b1ddc5bbefda59b4e441e9bc0	commit \| diff

wifi: cfg80211: advance loop vars in cfg80211_merge_profile()

cfg80211_merge_profile() reassembles a Multi-BSSID non-transmitted BSS
profile that has been split across multiple consecutive MBSSID elements.
Its while-loop calls

cfg80211_get_profile_continuation(ie, ielen, mbssid_elem, sub_elem)

but never advances mbssid_elem or sub_elem inside the body. Each
iteration therefore searches for a continuation that follows the same
fixed pair; the helper returns the same next_mbssid; and the same
next_sub bytes are memcpy()'d into merged_ie at a growing offset until
the buffer fills.

Advance both mbssid_elem and sub_elem to the just-consumed continuation
so the next call to cfg80211_get_profile_continuation() searches for a
further continuation beyond it (or returns NULL when none exists).

A specially-crafted malicious beacon can take advantage of this bug
to cause the kernel to spend an excessive amount of time in
cfg80211_merge_profile (up to as much as 2ms per beacon received),
which could theoretically be abused in some way.

Cc: stable@vger.kernel.org
Fixes: fe806e4992c9 ("cfg80211: support profile split between elements")
Signed-off-by: John Walker <johnwalker0@gmail.com>
Link: https://patch.msgid.link/20260507230720.64783-1-johnwalker0@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>