mac80211: Reject malformed SSID elements (4152561f) · Commits · 戴 / test

Although this shouldn't occur in practice, it's a good idea to bounds check the length field of the SSID element prior to using it for things like allocations or memcpy operations. Cc: <stable@vger.kernel.org> Cc: Kees Cook <keescook@chromium.org> Reported-by:

Nicolas Waisman <nico@semmle.com> Signed-off-by:

Will Deacon <will@kernel.org> Link: https://lore.kernel.org/r/20191004095132.15777-1-will@kernel.org Signed-off-by:

Johannes Berg <johannes.berg@intel.com>

net/mac80211/mlme.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -2633,7 +2633,8 @@ struct sk_buff ieee80211_ap_probereq_get(struct ieee80211_hw hw,

		rcu_read_lock();
		ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID);
		if (WARN_ON_ONCE(ssid == NULL))
		if (WARN_ONCE(!ssid \|\| ssid[1] > IEEE80211_MAX_SSID_LEN,
		"invalid SSID element (len=%d)", ssid ? ssid[1] : -1))
		ssid_len = 0;
		else
		ssid_len = ssid[1];
		@@ -5233,7 +5234,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,

		rcu_read_lock();
		ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID);
		if (!ssidie) {
		if (!ssidie \|\| ssidie[1] > sizeof(assoc_data->ssid)) {
		rcu_read_unlock();
		kfree(assoc_data);
		return -EINVAL;

Admin message