| From 4dcf443357320d73f1057709fe403ad65e6c54ae Mon Sep 17 00:00:00 2001 |
| From: Will Deacon <will@kernel.org> |
| Date: Fri, 4 Oct 2019 10:51:32 +0100 |
| Subject: [PATCH] cfg80211: wext: avoid copying malformed SSIDs |
| |
| commit 4ac2813cc867ae563a1ba5a9414bfb554e5796fa upstream. |
| |
| Ensure the SSID element is bounds-checked prior to invoking memcpy() |
| with its length field, when copying to userspace. |
| |
| Cc: <stable@vger.kernel.org> |
| Cc: Kees Cook <keescook@chromium.org> |
| Reported-by: Nicolas Waisman <nico@semmle.com> |
| Signed-off-by: Will Deacon <will@kernel.org> |
| Link: https://lore.kernel.org/r/20191004095132.15777-2-will@kernel.org |
| [adjust commit log a bit] |
| Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c |
| index c67d7a82ab13..73fd0eae08ca 100644 |
| --- a/net/wireless/wext-sme.c |
| +++ b/net/wireless/wext-sme.c |
| @@ -202,6 +202,7 @@ int cfg80211_mgd_wext_giwessid(struct net_device *dev, |
| struct iw_point *data, char *ssid) |
| { |
| struct wireless_dev *wdev = dev->ieee80211_ptr; |
| + int ret = 0; |
| |
| /* call only for station! */ |
| if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION)) |
| @@ -219,7 +220,10 @@ int cfg80211_mgd_wext_giwessid(struct net_device *dev, |
| if (ie) { |
| data->flags = 1; |
| data->length = ie[1]; |
| - memcpy(ssid, ie + 2, data->length); |
| + if (data->length > IW_ESSID_MAX_SIZE) |
| + ret = -EINVAL; |
| + else |
| + memcpy(ssid, ie + 2, data->length); |
| } |
| rcu_read_unlock(); |
| } else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) { |
| @@ -229,7 +233,7 @@ int cfg80211_mgd_wext_giwessid(struct net_device *dev, |
| } |
| wdev_unlock(wdev); |
| |
| - return 0; |
| + return ret; |
| } |
| |
| int cfg80211_mgd_wext_siwap(struct net_device *dev, |
| -- |
| 2.7.4 |
| |