Commit cd21d99e authored by Phil Turnbull's avatar Phil Turnbull Committed by Kalle Valo
Browse files

wifi: wilc1000: validate pairwise and authentication suite offsets 



There is no validation of 'offset' which can trigger an out-of-bounds
read when extracting RSN capabilities.

Signed-off-by: default avatarPhil Turnbull <philipturnbull@github.com>
Tested-by: default avatarAjay Kathat <ajay.kathat@microchip.com>
Acked-by: default avatarAjay Kathat <ajay.kathat@microchip.com>
Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221123153543.8568-2-philipturnbull@github.com
parent 2d0b08c1

drivers/net/wireless/microchip/wilc1000/hif.c

+16 −5
Original line number Diff line number Diff line
@@ -482,15 +482,26 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, 


	rsn_ie = cfg80211_find_ie(WLAN_EID_RSN, ies->data, ies->len);

	if (rsn_ie) {

		int rsn_ie_len = sizeof(struct element) + rsn_ie[1];

		int offset = 8;



		param->mode_802_11i = 2;

		param->rsn_found = true;

		/* extract RSN capabilities */

		if (offset < rsn_ie_len) {

			/* skip over pairwise suites */

			offset += (rsn_ie[offset] * 4) + 2;



			if (offset < rsn_ie_len) {

				/* skip over authentication suites */

				offset += (rsn_ie[offset] * 4) + 2;



				if (offset + 1 < rsn_ie_len) {

					param->mode_802_11i = 2;

					param->rsn_found = true;

					memcpy(param->rsn_cap, &rsn_ie[offset], 2);

				}

			}

		}

	}



	if (param->rsn_found) {

		int i;