From: Johannes Berg johannes.berg@intel.com
stable inclusion from stable-v5.10.158 commit 9e6b79a3cd17620d467311b30d56f2648f6880aa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYREV CVE: CVE-2022-49023
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 9f16b5c82a025cd4c864737409234ddc44fb166a ]
For vendor elements, the code here assumes that 5 octets are present without checking. Since the element itself is already checked to fit, we only need to check the length.
Reported-and-tested-by: Sönke Huster shuster@seemoo.tu-darmstadt.de Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yi Yang yiyang13@huawei.com --- net/wireless/scan.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 729d8e089db1..944bddabfceb 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -330,7 +330,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, * determine if they are the same ie. */ if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) { - if (!memcmp(tmp_old + 2, tmp + 2, 5)) { + if (tmp_old[1] >= 5 && tmp[1] >= 5 && + !memcmp(tmp_old + 2, tmp + 2, 5)) { /* same vendor ie, copy from * subelement */