| From 54af4388158fa0b403853770d444ff8c85b88837 Mon Sep 17 00:00:00 2001 |
| From: Will Deacon <will@kernel.org> |
| Date: Fri, 4 Oct 2019 10:51:31 +0100 |
| Subject: [PATCH] mac80211: Reject malformed SSID elements |
| |
| commit 4152561f5da3fca92af7179dd538ea89e248f9d0 upstream. |
| |
| Although this shouldn't occur in practice, it's a good idea to bounds |
| check the length field of the SSID element prior to using it for things |
| like allocations or memcpy operations. |
| |
| Cc: <stable@vger.kernel.org> |
| Cc: Kees Cook <keescook@chromium.org> |
| Reported-by: Nicolas Waisman <nico@semmle.com> |
| Signed-off-by: Will Deacon <will@kernel.org> |
| Link: https://lore.kernel.org/r/20191004095132.15777-1-will@kernel.org |
| Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c |
| index 36b60f39930b..e75f1b4b3ce3 100644 |
| --- a/net/mac80211/mlme.c |
| +++ b/net/mac80211/mlme.c |
| @@ -2628,7 +2628,8 @@ struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw, |
| |
| rcu_read_lock(); |
| ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID); |
| - if (WARN_ON_ONCE(ssid == NULL)) |
| + if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN, |
| + "invalid SSID element (len=%d)", ssid ? ssid[1] : -1)) |
| ssid_len = 0; |
| else |
| ssid_len = ssid[1]; |
| @@ -5207,7 +5208,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata, |
| |
| rcu_read_lock(); |
| ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID); |
| - if (!ssidie) { |
| + if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) { |
| rcu_read_unlock(); |
| kfree(assoc_data); |
| return -EINVAL; |
| -- |
| 2.7.4 |
| |
