UPSTREAM: wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()
commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream.
In the copy code of the elements, we do the following calculation
to reach the end of the MBSSID element:
/* copy the IEs after MBSSID */
cpy_len = mbssid[1] + 2;
This looks fine, however, cpy_len is a u8, the same as mbssid[1],
so the addition of two can overflow. In this case the subsequent
memcpy() will overflow the allocated buffer, since it copies 256
bytes too much due to the way the allocation and memcpy() sizes
are calculated.
Fix this by using size_t for the cpy_len variable.
This fixes CVE-2022-41674.
Bug: 253641805
Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb8235b ("cfg80211: Parsing of Multiple BSSID information in scanning")
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I25a9aebdc6507fd3d7c2aaa7348276afd5da7499
This commit is contained in:
Johannes Berg
Treehugger Robot
parent
f7fbd478a0
commit
40a8e0ed5c
@ -1738,7 +1738,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
|
|||||||
size_t new_ie_len;
|
size_t new_ie_len;
|
||||||
struct cfg80211_bss_ies *new_ies;
|
struct cfg80211_bss_ies *new_ies;
|
||||||
const struct cfg80211_bss_ies *old;
|
const struct cfg80211_bss_ies *old;
|
||||||
u8 cpy_len;
|
size_t cpy_len;
|
||||||
|
|
||||||
lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
|
lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user