cfg80211: check vendor IE length to avoid overrun

cfg80211_find_vendor_ie() was checking only that the vendor IE would fit in the remaining IEs buffer. If a corrupt includes a vendor IE that is too small, we could potentially overrun the IEs buffer. Fix this by checking that the vendor IE fits in the reported IE length field and skip it otherwise. Reported-by: N Jouni Malinen <j@w1.fi> Signed-off-by: N Luciano Coelho <coelho@ti.com> [change BUILD_BUG_ON to != 1 (from >= 2)] Signed-off-by: N Johannes Berg <johannes.berg@intel.com>

cfg80211: check vendor IE length to avoid overrun
cfg80211_find_vendor_ie() was checking only that the vendor IE would fit in the remaining IEs buffer. If a corrupt includes a vendor IE that is too small, we could potentially overrun the IEs buffer. Fix this by checking that the vendor IE fits in the reported IE length field and skip it otherwise. Reported-by: N Jouni Malinen <j@w1.fi> Signed-off-by: N Luciano Coelho <coelho@ti.com> [change BUILD_BUG_ON to != 1 (from >= 2)] Signed-off-by: N Johannes Berg <johannes.berg@intel.com>
6719429d · Luciano Coelho · Johannes Berg · bb92d199 · 6719429d
隐藏空白更改
内联并排

Showing with 8 addition and 4 deletion

net/wireless/scan.c net/wireless/scan.c +8 -4

未找到文件。
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -365,14 +365,18 @@ const u8 *cfg80211_find_vendor_ie(unsigned int oui, u8 oui_type,
 		if (!pos)
 			return NULL;

-		if (end - pos < sizeof(*ie))
-			return NULL;
-
 		ie = (struct ieee80211_vendor_ie *)pos;
+
+		/* make sure we can access ie->len */
+		BUILD_BUG_ON(offsetof(struct ieee80211_vendor_ie, len) != 1);
+
+		if (ie->len < sizeof(*ie))
+			goto cont;
+
 		ie_oui = ie->oui[0] << 16 | ie->oui[1] << 8 | ie->oui[2];
 		if (ie_oui == oui && ie->oui_type == oui_type)
 			return pos;
-
+cont:
 		pos += 2 + ie->len;
 	}
 	return NULL;