Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 0e29f851 authored by Johannes Berg's avatar Johannes Berg Committed by Lee Jones
Browse files

UPSTREAM: wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans() 



In the copy code of the elements, we do the following calculation
to reach the end of the MBSSID element:

	/* copy the IEs after MBSSID */
	cpy_len = mbssid[1] + 2;

This looks fine, however, cpy_len is a u8, the same as mbssid[1],
so the addition of two can overflow. In this case the subsequent
memcpy() will overflow the allocated buffer, since it copies 256
bytes too much due to the way the allocation and memcpy() sizes
are calculated.

Fix this by using size_t for the cpy_len variable.

This fixes CVE-2022-41674.

Bug: 254441685
Reported-by: default avatarSoenke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: default avatarSoenke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
(cherry picked from commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d)
Signed-off-by: default avatarLee Jones <joneslee@google.com>
Change-Id: Ie2b1441d3b0a5ac645411fecd563de92f90781fa
parent 7204ca77
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment