Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2090959ybp; Thu, 10 Oct 2019 02:02:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqxjUwCwk6kMPjo0preoBDOEoJ4btLKfdLcLVyX+G7aBNfDBa9TqyaSTRDfGC/4N183mYADH X-Received: by 2002:a17:906:5e49:: with SMTP id b9mr7006289eju.255.1570698133049; Thu, 10 Oct 2019 02:02:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570698133; cv=none; d=google.com; s=arc-20160816; b=NEago6AUm0a+y9daaxj/TA9b9VSlAey/HolMhwkjDU27jkHWm8WAGjILNsIbopCX2Y 4uG1kIIVAYvyzWPhYHMnA9MTUTGUTh4fYLjNR7f/vM74otXlhc1L9peLJ8hpGYOJF6ue LBnXojtjplrt/ev63TPNYBjlLYHlfVgYHwLy99dBTnevpJkhheCkNZutlLSfRh36rF99 qeg0ZlOXm8gypA0wmZ/PuyoCltwbU7Sut/ut4/LInz79ShU1TY/chlTtGouhIZn8jKWU 5PS58uuH6j7es9MuB1JzYlxQQekHlqMRfwtTPUXjTO+sqgZuTE6QQ6YFXoAaO7APIIxi 3alA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=G2Q+IS5JcW8ul/fcXceMgSILW+73/fOWTKamjTTkqlw=; b=k7cB2QvUJvVrw/pCNsCtrxJl9EZFi1oPJu0kewWHxghk0KlgOC3XTCf6DCegdaMOwX YC9By8Bfeq45Dapnib66kNg3GmRSl0xRXeu4VsmdLIBs7iEErfwa/xSVUOEzRmx8CoX+ XlN4wH0F3ASOHW2sxsRUrmpGfM5abaPdXtqDZ3Z09F6PftMFUE1YMChtqw25lswpC51D 4kwYmEMKHqbktBm1juccGsrMwLguP9fc0bmx/HkwVlsQ3YL8XMFmfNydwDPJRnkWOT6p K5zxDX03GoNNCZkN+9mRaCsMAv/lqm0p/UEgfKVopt9YmD9st/rxq0XxgQE0dYdIXrv0 5C7w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FWO25hlc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ox5si2673095ejb.252.2019.10.10.02.01.50; Thu, 10 Oct 2019 02:02:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FWO25hlc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389062AbfJJJAE (ORCPT + 99 others); Thu, 10 Oct 2019 05:00:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:48130 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387767AbfJJInT (ORCPT ); Thu, 10 Oct 2019 04:43:19 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AF2C92190F; Thu, 10 Oct 2019 08:43:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570696999; bh=Z7qMlZaZcDZIhgD5kbXQoS87jFUa8k4Q4KdfQBxnahk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FWO25hlcnd4xuBLRvFeU7HTJyFBl1AerxaOQ52ZEvKhdP8IGr12hYRuXQd2mLVDX0 pQ8FqmwogrufWhENNVSNrdarNXgKJWXpTzHOv7DjJclutmFLfD+j7lKldrVDPEn+Bs /IGTpofHaH7ia7M4/zIqJ7KFyd3IyFnk/q8r1ZAE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg Subject: [PATCH 5.3 086/148] cfg80211: validate SSID/MBSSID element ordering assumption Date: Thu, 10 Oct 2019 10:35:47 +0200 Message-Id: <20191010083616.576489163@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191010083609.660878383@linuxfoundation.org> References: <20191010083609.660878383@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit 242b0931c1918c56cd1dc5563fd250a3c39b996d upstream. The code copying the data assumes that the SSID element is before the MBSSID element, but since the data is untrusted from the AP, this cannot be guaranteed. Validate that this is indeed the case and ignore the MBSSID otherwise, to avoid having to deal with both cases for the copy of data that should be between them. Cc: stable@vger.kernel.org Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Link: https://lore.kernel.org/r/1569009255-I1673911f5eae02964e21bdc11b2bf58e5e207e59@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/scan.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1711,7 +1711,12 @@ cfg80211_update_notlisted_nontrans(struc return; new_ie_len -= trans_ssid[1]; mbssid = cfg80211_find_ie(WLAN_EID_MULTIPLE_BSSID, ie, ielen); - if (!mbssid) + /* + * It's not valid to have the MBSSID element before SSID + * ignore if that happens - the code below assumes it is + * after (while copying things inbetween). + */ + if (!mbssid || mbssid < trans_ssid) return; new_ie_len -= mbssid[1]; rcu_read_lock();