Skip to content

Commit

Permalink
wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()
Browse files Browse the repository at this point in the history 
In the copy code of the elements, we do the following calculation
to reach the end of the MBSSID element:

	/* copy the IEs after MBSSID */
	cpy_len = mbssid[1] + 2;

This looks fine, however, cpy_len is a u8, the same as mbssid[1],
so the addition of two can overflow. In this case the subsequent
memcpy() will overflow the allocated buffer, since it copies 256
bytes too much due to the way the allocation and memcpy() sizes
are calculated.

Fix this by using size_t for the cpy_len variable.

This fixes CVE-2022-41674.

Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Link: https://lore.kernel.org/lkml/20221013175147.067414219@linuxfoundation.org/
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d
Git-repo: https://android.googlesource.com/kernel/common

Change-Id: If6ed330dc65fdf387ee8584b5a69840242edf5cf
Signed-off-by: Vulupala Shashank Reddy<quic_vulupa@quicinc.com>
  • Loading branch information
@jmberg-intel
jmberg-intel authored and Gerrit - the friendly Code Review server committed Nov 11, 2022
1 parent 587da9f commit 85a4975
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion net/wireless/scan.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1548,7 +1548,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
size_t new_ie_len;
struct cfg80211_bss_ies *new_ies;
const struct cfg80211_bss_ies *old;
u8 cpy_len;
size_t cpy_len;

ie = mgmt->u.probe_resp.variable;

Expand Down

0 comments on commit 85a4975

Please sign in to comment.