| From a8eaf0dd2d0cdff698418155b50218925e63e405 Mon Sep 17 00:00:00 2001 |
| From: Johannes Berg <johannes.berg@intel.com> |
| Date: Fri, 20 Sep 2019 21:54:18 +0200 |
| Subject: [PATCH] cfg80211: validate SSID/MBSSID element ordering assumption |
| |
| commit 242b0931c1918c56cd1dc5563fd250a3c39b996d upstream. |
| |
| The code copying the data assumes that the SSID element is |
| before the MBSSID element, but since the data is untrusted |
| from the AP, this cannot be guaranteed. |
| |
| Validate that this is indeed the case and ignore the MBSSID |
| otherwise, to avoid having to deal with both cases for the |
| copy of data that should be between them. |
| |
| Cc: stable@vger.kernel.org |
| Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") |
| Link: https://lore.kernel.org/r/1569009255-I1673911f5eae02964e21bdc11b2bf58e5e207e59@changeid |
| Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/wireless/scan.c b/net/wireless/scan.c |
| index aa571d727903..43f81ba4c290 100644 |
| --- a/net/wireless/scan.c |
| +++ b/net/wireless/scan.c |
| @@ -1710,7 +1710,12 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, |
| return; |
| new_ie_len -= trans_ssid[1]; |
| mbssid = cfg80211_find_ie(WLAN_EID_MULTIPLE_BSSID, ie, ielen); |
| - if (!mbssid) |
| + /* |
| + * It's not valid to have the MBSSID element before SSID |
| + * ignore if that happens - the code below assumes it is |
| + * after (while copying things inbetween). |
| + */ |
| + if (!mbssid || mbssid < trans_ssid) |
| return; |
| new_ie_len -= mbssid[1]; |
| rcu_read_lock(); |
| -- |
| 2.7.4 |
| |
