Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp1332117rwi; Thu, 13 Oct 2022 12:08:53 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6d16IgWFZrL1R2ILD28rHf/2/kStZwKwSppdbSXzTpmie5QSBI0OazHmMYZnRJF79sCkJv X-Received: by 2002:a63:5a0b:0:b0:434:4748:4e7a with SMTP id o11-20020a635a0b000000b0043447484e7amr1138731pgb.561.1665688133048; Thu, 13 Oct 2022 12:08:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665688133; cv=none; d=google.com; s=arc-20160816; b=j98PWfQ8wZybWlxEgfRms/Ftw5IX5odhLvJyHqhB1Q6hMZkl+Dkhw7AqKKjxfz0bXr onUThfiZQF0ahOngZXv260UxJMwcPTLhHvLiBSS3ncTgrTecxndi8ASLUIAygASxXxje 19m+9EcKYWE7h1ogpiC58/yg93ZoZrSFTLal/JM9dgpaERHlAADjz64sTmbCgWAyl4ZG BuAcIaf38e13lXSE/5RO2tIs6bN7/INiXJptyOujAajuxJuUdB1LHgze/+n9d9GGnVo3 qXGXp/n4A2hwYN+lmO3rKCpKzu/owD4MX+fNvyOsw0eb/ZIPypIASsj9nOgBlO8xf9QZ yoaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=c37DoFIbhaNHQK5CW1R3PsSX/gsql3iV9yryyEkBSXY=; b=y/F992zvLMgpNH+g9qSlGzc3gxbxYwLfMYLSoDVzhzdwrLrMnx+idq64Hfzt9TPmwH /SCE8cp+ZJmfvCnqYNsS/ZTDV57hLqgt5x8rm6fdXIGcMj7igXVIEQY1nCC70aTz6IAV rj+7mqVC9u5CH+TJ/wVJCZsDMp7NiocWGCP6QW/8nSJDe3XeyyH0Vxhl+3yzCH1l/7f9 2MyMW3BMpQy/1GoEr9gDBdLU1t8XZDYYU10UY36VxKierH660YxhbAzqSe/CSda/jzKo RFf9c7opFp7gBBTUyuPKX67Yzj1bo9PF3oUJe4Z3TNdSza9JG7aqcSCTybyJtRvD9QwI bIyg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=0XbWywXV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k2-20020a170902c40200b001769541146bsi502969plk.573.2022.10.13.12.08.40; Thu, 13 Oct 2022 12:08:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=0XbWywXV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230089AbiJMRze (ORCPT + 99 others); Thu, 13 Oct 2022 13:55:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54808 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229889AbiJMRyY (ORCPT ); Thu, 13 Oct 2022 13:54:24 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9EF9114FD27; Thu, 13 Oct 2022 10:53:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id A476AB82022; Thu, 13 Oct 2022 17:53:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 19B77C433C1; Thu, 13 Oct 2022 17:53:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683624; bh=4i4bGpQbrfxPFjyQlwZKPo4OoBFe09RvpTK42I5SAjU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0XbWywXVsN+Gf1BTrUCoUCFtlATFigIIt3bAMi1/I2MszT+5PS0js8qLk3MwhbzX/ Xb4kaw5H8l7L4zA9ckR+o10iR8K/WGS/WwPgCHdxhQwqNQQ6aRVqohaD+KbWxCLt1C ItCgd6VIGlMFwoG7RLIiXDb8XSNAasUZYbeZvr5A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Soenke Huster , Johannes Berg Subject: [PATCH 5.4 32/38] wifi: cfg80211: ensure length byte is present before access Date: Thu, 13 Oct 2022 19:52:33 +0200 Message-Id: <20221013175145.309108696@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175144.245431424@linuxfoundation.org> References: <20221013175144.245431424@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream. When iterating the elements here, ensure the length byte is present before checking it to see if the entire element will fit into the buffer. Longer term, we should rewrite this code using the type-safe element iteration macros that check all of this. Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reported-by: Soenke Huster Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/scan.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -265,7 +265,8 @@ static size_t cfg80211_gen_new_ie(const tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; - while (tmp_old + tmp_old[1] + 2 - ie <= ielen) { + while (tmp_old + 2 - ie <= ielen && + tmp_old + tmp_old[1] + 2 - ie <= ielen) { if (tmp_old[0] == 0) { tmp_old++; continue; @@ -325,7 +326,8 @@ static size_t cfg80211_gen_new_ie(const * copied to new ie, skip ssid, capability, bssid-index ie */ tmp_new = sub_copy; - while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { + while (tmp_new + 2 - sub_copy <= subie_len && + tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || tmp_new[0] == WLAN_EID_SSID)) { memcpy(pos, tmp_new, tmp_new[1] + 2);