[PATCH OLK-5.10] wifi: iwlwifi: mvm: check n_ssids before accessing the ssids - Kernel

17 Jul 2024

From: Miri Korenblit miriam.rachel.korenblit@intel.com
stable inclusion
from stable-v5.10.221
commit 3c4771091ea8016c8601399078916f722dd8833b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACZLE
CVE: CVE-2024-40929
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
---------------------------
[ Upstream commit 60d62757df30b74bf397a2847a6db7385c6ee281 ]
In some versions of cfg80211, the ssids poinet might be a valid one even
though n_ssids is 0. Accessing the pointer in this case will cuase an
out-of-bound access. Fix this by checking n_ssids first.
Fixes: c1a7515393e4 ("iwlwifi: mvm: add adaptive dwell support")
Signed-off-by: Miri Korenblit miriam.rachel.korenblit@intel.com
Reviewed-by: Ilan Peer ilan.peer@intel.com
Reviewed-by: Johannes Berg johannes.berg@intel.com
Link: https://msgid.link/20240513132416.6e4d1762bf0d.I5a0e6cc8f02050a766db704d1559...
Signed-off-by: Johannes Berg johannes.berg@intel.com
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Zhengchao Shao shaozhengchao@huawei.com
---
 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
index 17b992526694..a9df48c75155 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
@@ -1354,7 +1354,7 @@ static void iwl_mvm_scan_umac_dwell(struct iwl_mvm *mvm,
    	if (IWL_MVM_ADWELL_MAX_BUDGET)
    		cmd->v7.adwell_max_budget =
    			cpu_to_le16(IWL_MVM_ADWELL_MAX_BUDGET);
-		else if (params->ssids && params->ssids[0].ssid_len)
+		else if (params->n_ssids && params->ssids[0].ssid_len)
    		cmd->v7.adwell_max_budget =
    			cpu_to_le16(IWL_SCAN_ADWELL_MAX_BUDGET_DIRECTED_SCAN);
    	else
@@ -1456,7 +1456,7 @@ iwl_mvm_scan_umac_dwell_v10(struct iwl_mvm *mvm,
    if (IWL_MVM_ADWELL_MAX_BUDGET)
    	general_params->adwell_max_budget =
    		cpu_to_le16(IWL_MVM_ADWELL_MAX_BUDGET);
-	else if (params->ssids && params->ssids[0].ssid_len)
+	else if (params->n_ssids && params->ssids[0].ssid_len)
    	general_params->adwell_max_budget =
    		cpu_to_le16(IWL_SCAN_ADWELL_MAX_BUDGET_DIRECTED_SCAN);
    else
-- 
2.34.1


    