linux-stable/net/wireless
Keith Yeo 6311071a05 wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()
nl80211_parse_mbssid_elems() uses a u8 variable num_elems to count the
number of MBSSID elements in the nested netlink attribute attrs, which can
lead to an integer overflow if a user of the nl80211 interface specifies
256 or more elements in the corresponding attribute in userspace. The
integer overflow can lead to a heap buffer overflow as num_elems determines
the size of the trailing array in elems, and this array is thereafter
written to for each element in attrs.

Note that this vulnerability only affects devices with the
wiphy->mbssid_max_interfaces member set for the wireless physical device
struct in the device driver, and can only be triggered by a process with
CAP_NET_ADMIN capabilities.

Fix this by checking for a maximum of 255 elements in attrs.

Cc: stable@vger.kernel.org
Fixes: dc1e3cb8da ("nl80211: MBSSID and EMA support in AP mode")
Signed-off-by: Keith Yeo <keithyjy@gmail.com>
Link: https://lore.kernel.org/r/20230731034719.77206-1-keithyjy@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2023-08-09 14:43:35 +02:00
..
certs
.gitignore
ap.c wifi: nl80211: add MLO_LINK_ID to CMD_STOP_AP event 2023-02-14 12:09:17 +01:00
chan.c wifi: cfg80211: move puncturing bitmap validation from mac80211 2023-02-14 12:09:18 +01:00
core.c wifi: cfg80211: fix regulatory disconnect with OCB/NAN 2023-06-19 12:05:29 +02:00
core.h wifi: cfg80211/nl80211: Add support to indicate STA MLD setup links removal 2023-06-19 12:08:40 +02:00
debugfs.c wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() 2022-08-25 10:04:46 +02:00
debugfs.h
ethtool.c wifi: cfg80211: use strscpy to replace strlcpy 2022-07-15 11:43:12 +02:00
ibss.c wifi: cfg80211: remove support for static WEP 2023-01-18 17:31:44 +01:00
Kconfig cfg80211: select CONFIG_CRC32 2021-01-05 15:50:36 -08:00
lib80211.c lib80211: Remove unused macro DRV_NAME 2020-09-18 11:53:00 +02:00
lib80211_crypt_ccmp.c wifi: use struct_group to copy addresses 2022-09-03 16:40:06 +02:00
lib80211_crypt_tkip.c
lib80211_crypt_wep.c
Makefile cfg80211: fix CONFIG_CFG80211_EXTRA_REGDB_KEYDIR typo 2022-03-01 14:10:14 +01:00
mesh.c wifi: cfg80211: do some rework towards MLO link APIs 2022-06-20 12:54:58 +02:00
mlme.c wifi: nl80211: Add support for randomizing TA of auth and deauth frames 2023-03-07 11:12:02 +01:00
nl80211.c wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems() 2023-08-09 14:43:35 +02:00
nl80211.h wifi: nl80211: add MLO_LINK_ID to CMD_STOP_AP event 2023-02-14 12:09:17 +01:00
ocb.c wifi: cfg80211: do some rework towards MLO link APIs 2022-06-20 12:54:58 +02:00
of.c
pmsr.c wifi: cfg80211: hold wiphy lock in pmsr work 2023-06-07 19:53:07 +02:00
radiotap.c mac80211: Use flex-array for radiotap header bitmap 2021-08-13 09:58:25 +02:00
rdev-ops.h wifi: cfg80211: add inform_bss op to update BSS 2023-06-19 12:05:28 +02:00
reg.c wifi: nl80211/reg: add no-EHT regulatory flag 2023-06-21 14:01:29 +02:00
reg.h cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
scan.c wifi: cfg80211: Fix return value in scan logic 2023-07-26 10:08:07 +03:00
sme.c wifi: cfg80211/nl80211: Add support to indicate STA MLD setup links removal 2023-06-19 12:08:40 +02:00
sysfs.c wifi: cfg80211: add a work abstraction with special semantics 2023-06-07 19:53:15 +02:00
sysfs.h
trace.c
trace.h wifi: cfg80211/nl80211: Add support to indicate STA MLD setup links removal 2023-06-19 12:08:40 +02:00
util.c wifi: cfg80211: fix receiving mesh packets without RFC1042 header 2023-07-12 18:03:40 -07:00
wext-compat.c wifi: cfg80211: remove support for static WEP 2023-01-18 17:31:44 +01:00
wext-compat.h wifi: cfg80211: Avoid clashing function prototypes 2022-11-16 11:31:47 +02:00
wext-core.c wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point() 2023-06-19 12:05:27 +02:00
wext-priv.c
wext-proc.c
wext-sme.c wifi: cfg80211: wext: hold wiphy lock in siwgenie 2023-06-07 19:53:11 +02:00
wext-spy.c wireless: wext-spy: Fix out-of-bounds warning 2021-06-23 10:57:17 +02:00