lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7cgt3pqpucb6glnmvjzymfisc23i5lcnc5vulaxfenkfe7tqmh@epuecpytt4sf>
Date: Tue, 17 Jun 2025 16:45:02 +1000
From: Lachlan Hodges <lachlan.hodges@...semicro.com>
To: Edward Adam Davis <eadavis@...com>
Cc: syzbot+6554b492c7008bcd3385@...kaller.appspotmail.com, 
	johannes@...solutions.net, linux-kernel@...r.kernel.org, linux-wireless@...r.kernel.org, 
	netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] wifi: mac80211: fix oob in ieee80211_rx_mgmt_beacon

On Tue, Jun 17, 2025 at 12:41:33PM +0800, Edward Adam Davis wrote:
> According to ieee80211_s1g_optional_len(), it can be clearly seen that the
> maximum size of variable is 4 and it is an array. Based on the above, the
> parsing of the frame control field and optional field is optimized.

Hi,

This is incorrect according to IEEE80211-2024 9.3.4.3. In addition, the 
undefined behaviour reported by the bot due to using zero length arrays
rather then variable length arrays already has a patch submitted by
Johanes - please see:

Link: https://patchwork.kernel.org/project/linux-wireless/patch/20250614003037.a3e82e882251.I2e8b58e56ff2a9f8b06c66f036578b7c1d4e4685@changeid/

lachlan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ