Commit 497089c4 authored Nov 04, 2024 by Johannes Berg Committed by Yi Yang Nov 04, 2024

wifi: cfg80211: fix buffer overflow in elem comparison

stable inclusion
from stable-v5.10.158
commit 9e6b79a3cd17620d467311b30d56f2648f6880aa
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYREV
CVE: CVE-2022-49023

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9e6b79a3cd17620d467311b30d56f2648f6880aa



--------------------------------

[ Upstream commit 9f16b5c8 ]

For vendor elements, the code here assumes that 5 octets
are present without checking. Since the element itself is
already checked to fit, we only need to check the length.

Reported-and-tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb823 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yi Yang <yiyang13@huawei.com>

parent 1405b0f8

net/wireless/scan.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -330,7 +330,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
		* determine if they are the same ie.
		*/
		if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) {
		if (!memcmp(tmp_old + 2, tmp + 2, 5)) {
		if (tmp_old[1] >= 5 && tmp[1] >= 5 &&
		!memcmp(tmp_old + 2, tmp + 2, 5)) {
		/* same vendor ie, copy from
		* subelement
		*/