mac80211: Reject malformed SSID elements

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Although this shouldn't occur in practice, it's a good idea to bounds
check the length field of the SSID element prior to using it for things
like allocations or memcpy operations.

Cc: <stable@vger.kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Reported-by: Nicolas Waisman <nico@semmle.com>
Signed-off-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20191004095132.15777-1-will@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

authored by

Will Deacon and committed by

Johannes Berg 6 years ago 4152561f 313c3fe9

+3 -2

1 changed file

expand all

net

mac80211

mlme.c

+3 -2

net/mac80211/mlme.c

··· 2633 2633 2634 2634 rcu_read_lock(); 2635 2635 ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID); 2636 - if (WARN_ON_ONCE(ssid == NULL)) 2636 + if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN, 2637 + "invalid SSID element (len=%d)", ssid ? ssid[1] : -1)) 2637 2638 ssid_len = 0; 2638 2639 else 2639 2640 ssid_len = ssid[1]; ··· 5234 5233 5235 5234 rcu_read_lock(); 5236 5235 ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID); 5237 - if (!ssidie) { 5236 + if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) { 5238 5237 rcu_read_unlock(); 5239 5238 kfree(assoc_data); 5240 5239 return -EINVAL;