mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-15 23:25:07 +00:00
mac80211: Reject malformed SSID elements
commit 4152561f5d
upstream.
Although this shouldn't occur in practice, it's a good idea to bounds
check the length field of the SSID element prior to using it for things
like allocations or memcpy operations.
Cc: <stable@vger.kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Reported-by: Nicolas Waisman <nico@semmle.com>
Signed-off-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20191004095132.15777-1-will@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
73c066a955
commit
24ca628920
1 changed files with 3 additions and 2 deletions
|
@ -2554,7 +2554,8 @@ struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw,
|
|||
|
||||
rcu_read_lock();
|
||||
ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID);
|
||||
if (WARN_ON_ONCE(ssid == NULL))
|
||||
if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN,
|
||||
"invalid SSID element (len=%d)", ssid ? ssid[1] : -1))
|
||||
ssid_len = 0;
|
||||
else
|
||||
ssid_len = ssid[1];
|
||||
|
@ -5039,7 +5040,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
|
|||
|
||||
rcu_read_lock();
|
||||
ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID);
|
||||
if (!ssidie) {
|
||||
if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) {
|
||||
rcu_read_unlock();
|
||||
kfree(assoc_data);
|
||||
return -EINVAL;
|
||||
|
|
Loading…
Reference in a new issue