wifi: cfg80211: fix buffer overflow in elem comparison

[ Upstream commit 9f16b5c82a025cd4c864737409234ddc44fb166a ] For vendor elements, the code here assumes that 5 octets are present without checking. Since the element itself is already checked to fit, we only need to check the length. Reported-and-tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Johannes Berg <johannes.berg@intel.com> 2022-11-25 14:36:57 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-12-08 13:23:56 +0300
commit: 9e6b79a3cd17620d467311b30d56f2648f6880aa (patch)
tree: ab36a7dac59517d03f1c01fda10c0e5cc95a9376 /net/wireless
parent: 6922948c2ec1cc45b11acb8ec2eeb3a8353d572b (diff)
download: linux-9e6b79a3cd17620d467311b30d56f2648f6880aa.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 15119c49c093..8102ee7b2047 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -330,7 +330,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
 			 * determine if they are the same ie.
 			 */
 			if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) {
-				if (!memcmp(tmp_old + 2, tmp + 2, 5)) {
+				if (tmp_old[1] >= 5 && tmp[1] >= 5 &&
+				    !memcmp(tmp_old + 2, tmp + 2, 5)) {
 					/* same vendor ie, copy from
 					 * subelement
 					 */
author	Johannes Berg <johannes.berg@intel.com>	2022-11-25 14:36:57 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-12-08 13:23:56 +0300
commit	9e6b79a3cd17620d467311b30d56f2648f6880aa (patch)
tree	ab36a7dac59517d03f1c01fda10c0e5cc95a9376 /net/wireless
parent	6922948c2ec1cc45b11acb8ec2eeb3a8353d572b (diff)
download	linux-9e6b79a3cd17620d467311b30d56f2648f6880aa.tar.xz