diff options
author | graysky | 2022-10-14 05:13:33 -0400 |
---|---|---|
committer | graysky | 2022-10-14 05:13:33 -0400 |
commit | eac1e41745ffa9f881f99deba886e2da1095dc8b (patch) | |
tree | 8e547aee066d654d63c81bfadeec402f654691e9 /0005-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch | |
parent | c605c9da9642e684485a2563e6ca5b940171fdc8 (diff) | |
download | aur-eac1e41745ffa9f881f99deba886e2da1095dc8b.tar.gz |
Update to 6.0.1-2
Diffstat (limited to '0005-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch')
-rw-r--r-- | 0005-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/0005-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch b/0005-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch new file mode 100644 index 000000000000..fa3db444f5b6 --- /dev/null +++ b/0005-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch @@ -0,0 +1,59 @@ +From 8493abdd8f425b7940001fe0324e63b207c90f56 Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Wed, 28 Sep 2022 22:01:37 +0200 +Subject: [PATCH 05/13] wifi: cfg80211/mac80211: reject bad MBSSID elements + +commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream. + +Per spec, the maximum value for the MaxBSSID ('n') indicator is 8, +and the minimum is 1 since a multiple BSSID set with just one BSSID +doesn't make sense (the # of BSSIDs is limited by 2^n). + +Limit this in the parsing in both cfg80211 and mac80211, rejecting +any elements with an invalid value. + +This fixes potentially bad shifts in the processing of these inside +the cfg80211_gen_new_bssid() function later. + +I found this during the investigation of CVE-2022-41674 fixed by the +previous patch. + +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Fixes: 78ac51f81532 ("mac80211: support multi-bssid") +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/mac80211/util.c | 2 ++ + net/wireless/scan.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index efcefb2dd882..3d097386b2b9 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -1442,6 +1442,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, + for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { + if (elem->datalen < 2) + continue; ++ if (elem->data[0] < 1 || elem->data[0] > 8) ++ continue; + + for_each_element(sub, elem->data + 1, elem->datalen - 1) { + u8 new_bssid[ETH_ALEN]; +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index f59bfc09ca60..bce44485374d 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -2143,6 +2143,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy, + for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) { + if (elem->datalen < 4) + continue; ++ if (elem->data[0] < 1 || (int)elem->data[0] > 8) ++ continue; + for_each_element(sub, elem->data + 1, elem->datalen - 1) { + u8 profile_len; + +-- +2.38.0 + |