[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20191027203348.650128093@linuxfoundation.org>
Date: Sun, 27 Oct 2019 22:01:12 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Kees Cook <keescook@...omium.org>,
Nicolas Waisman <nico@...mle.com>,
Will Deacon <will@...nel.org>,
Johannes Berg <johannes.berg@...el.com>
Subject: [PATCH 4.14 095/119] mac80211: Reject malformed SSID elements
From: Will Deacon <will@...nel.org>
commit 4152561f5da3fca92af7179dd538ea89e248f9d0 upstream.
Although this shouldn't occur in practice, it's a good idea to bounds
check the length field of the SSID element prior to using it for things
like allocations or memcpy operations.
Cc: <stable@...r.kernel.org>
Cc: Kees Cook <keescook@...omium.org>
Reported-by: Nicolas Waisman <nico@...mle.com>
Signed-off-by: Will Deacon <will@...nel.org>
Link: https://lore.kernel.org/r/20191004095132.15777-1-will@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@...el.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
net/mac80211/mlme.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2430,7 +2430,8 @@ struct sk_buff *ieee80211_ap_probereq_ge
rcu_read_lock();
ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID);
- if (WARN_ON_ONCE(ssid == NULL))
+ if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN,
+ "invalid SSID element (len=%d)", ssid ? ssid[1] : -1))
ssid_len = 0;
else
ssid_len = ssid[1];
@@ -4756,7 +4757,7 @@ int ieee80211_mgd_assoc(struct ieee80211
rcu_read_lock();
ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID);
- if (!ssidie) {
+ if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) {
rcu_read_unlock();
kfree(assoc_data);
return -EINVAL;
Powered by blists - more mailing lists