Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2095154pxb; Mon, 12 Apr 2021 14:20:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyTLOZEz6V/MOgKef9bkAi6qNxMrv7GgmBnteJ5fw2FmWOb/C+eCgumz5Kv4Vki6clXcrFv X-Received: by 2002:a17:906:2a46:: with SMTP id k6mr28693805eje.206.1618262438558; Mon, 12 Apr 2021 14:20:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618262438; cv=none; d=google.com; s=arc-20160816; b=XoO6Uu2Bqvjqdjh1IpIotX6o97hphKa6NRmt8EINyJD1bOpxTU4im1GGUoks2+x7CO rSPzlarZA0N3lRJJhgYl5yv4bTMxaW2cdMIBzr35EeKwvtPjKg4FCgsUYhW1msFP+pVq bsdf7cCoA8BtQyN30NRm5ZB0/vyXRUIEw5FBRAWdVdQYTRMgtJAYCVmkPBdyJur5BBZD 1ToTN/y6fT5MgEu4uwLKtTRDy5FvTwRLxcG2yu1tYryR0e/D4DEpqN3HXwq/NIbArmNg e5pokXxVd+fxwAGGf1bxAbkuE7BCzksB403Tn2fQRUGA1NKikPVqut3E45WsQKwLz44T oiXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=WBQcFeX8jBZXgn3YsyuUWz3LEuW1PHP60IPY/5fIALQ=; b=IqiwwZbAueAH3JE8p0TQytPJZCOEPc7xeFT82HSG6l2u6t/acS7DFhVDONRpWB8wrE NkDwnMx4/MgzILRhIdsvtrrTGSEG56XpHGCuDu47XT1SILIF9m4eUuPIy0kIu9b5qwsI eJqqS5J+xGhfl3YwIBgOPUk9mlbkJj4hc5yJasn4uvLNDOejlP3Xryf4yWiFPGyIBOhk RbqFvGgmAgtbT7wYMKiTNP01nV2oJhpj/3XlUDaKJ4BfPDF/3nIxACey+oonmfEnwr8z DqU4v+BvWCPpGVIeJCHpQq4vU46irpb33MC4UcKPAhq05V8r9/f2FWEHuN8R0787k2E0 bRJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ttmVFsWZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h7si8765180ejt.43.2021.04.12.14.20.15; Mon, 12 Apr 2021 14:20:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ttmVFsWZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238774AbhDLJIh (ORCPT + 99 others); Mon, 12 Apr 2021 05:08:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:43824 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238989AbhDLIzR (ORCPT ); Mon, 12 Apr 2021 04:55:17 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 66B5C61278; Mon, 12 Apr 2021 08:54:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1618217665; bh=3AtG43HBjMs1mKGoAp3wayoP5T7WKn3GKllqvHnRJ5g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ttmVFsWZ+8xQP73DxFqxR+Ucrhipq7mrqr3SJ3HVGsFzE9qbgM0bQHm7qTobE8nms +TWUQGPsb9mwATqOyR+y+XPTMOE6E1WFWkmPMMWcSgnGuxP+ySvwFMsW26/XvVYGoM soXiEP301wfXrA5eIYFgkb1Y44hQ/mKKu6/OTVQc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg Subject: [PATCH 5.10 065/188] cfg80211: check S1G beacon compat element length Date: Mon, 12 Apr 2021 10:39:39 +0200 Message-Id: <20210412084015.817030388@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210412084013.643370347@linuxfoundation.org> References: <20210412084013.643370347@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit b5ac0146492fc5c199de767e492be8a66471011a upstream. We need to check the length of this element so that we don't access data beyond its end. Fix that. Fixes: 9eaffe5078ca ("cfg80211: convert S1G beacon to scan results") Link: https://lore.kernel.org/r/20210408142826.f6f4525012de.I9fdeff0afdc683a6024e5ea49d2daa3cd2459d11@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/scan.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2351,14 +2351,16 @@ cfg80211_inform_single_bss_frame_data(st return NULL; if (ext) { - struct ieee80211_s1g_bcn_compat_ie *compat; - u8 *ie; + const struct ieee80211_s1g_bcn_compat_ie *compat; + const struct element *elem; - ie = (void *)cfg80211_find_ie(WLAN_EID_S1G_BCN_COMPAT, - variable, ielen); - if (!ie) + elem = cfg80211_find_elem(WLAN_EID_S1G_BCN_COMPAT, + variable, ielen); + if (!elem) return NULL; - compat = (void *)(ie + 2); + if (elem->datalen < sizeof(*compat)) + return NULL; + compat = (void *)elem->data; bssid = ext->u.s1g_beacon.sa; capability = le16_to_cpu(compat->compat_info); beacon_int = le16_to_cpu(compat->beacon_int);