mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-29 13:53:33 +00:00
wifi: cfg80211: fix buffer overflow in elem comparison
[ Upstream commit9f16b5c82a
] For vendor elements, the code here assumes that 5 octets are present without checking. Since the element itself is already checked to fit, we only need to check the length. Reported-and-tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> Fixes:0b8fb8235b
("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
34cbc950d0
commit
391cb87255
1 changed files with 2 additions and 1 deletions
|
@ -330,7 +330,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
|
|||
* determine if they are the same ie.
|
||||
*/
|
||||
if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) {
|
||||
if (!memcmp(tmp_old + 2, tmp + 2, 5)) {
|
||||
if (tmp_old[1] >= 5 && tmp[1] >= 5 &&
|
||||
!memcmp(tmp_old + 2, tmp + 2, 5)) {
|
||||
/* same vendor ie, copy from
|
||||
* subelement
|
||||
*/
|
||||
|
|
Loading…
Reference in a new issue