1 From: Johannes Berg <johannes.berg@intel.com>
2 Date: Wed, 28 Sep 2022 22:01:37 +0200
3 Subject: [PATCH] wifi: cfg80211/mac80211: reject bad MBSSID elements
5 commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream
7 Per spec, the maximum value for the MaxBSSID ('n') indicator is 8,
8 and the minimum is 1 since a multiple BSSID set with just one BSSID
9 doesn't make sense (the # of BSSIDs is limited by 2^n).
11 Limit this in the parsing in both cfg80211 and mac80211, rejecting
12 any elements with an invalid value.
14 This fixes potentially bad shifts in the processing of these inside
15 the cfg80211_gen_new_bssid() function later.
17 I found this during the investigation of CVE-2022-41674 fixed by the
20 Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
21 Fixes: 78ac51f81532 ("mac80211: support multi-bssid")
22 Reviewed-by: Kees Cook <keescook@chromium.org>
23 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
26 --- a/net/mac80211/util.c
27 +++ b/net/mac80211/util.c
28 @@ -1413,6 +1413,8 @@ static size_t ieee802_11_find_bssid_prof
29 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
30 if (elem->datalen < 2)
32 + if (elem->data[0] < 1 || elem->data[0] > 8)
35 for_each_element(sub, elem->data + 1, elem->datalen - 1) {
36 u8 new_bssid[ETH_ALEN];
37 --- a/net/wireless/scan.c
38 +++ b/net/wireless/scan.c
39 @@ -2103,6 +2103,8 @@ static void cfg80211_parse_mbssid_data(s
40 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) {
41 if (elem->datalen < 4)
43 + if (elem->data[0] < 1 || (int)elem->data[0] > 8)
45 for_each_element(sub, elem->data + 1, elem->datalen - 1) {
projects / openwrt / staging / ansuel.git / blob