cfg80211: check vendor IE length to avoid overrun

cfg80211_find_vendor_ie() was checking only that the vendor IE would fit in the remaining IEs buffer. If a corrupt includes a vendor IE that is too small, we could potentially overrun the IEs buffer. Fix this by checking that the vendor IE fits in the reported IE length field and skip it otherwise. Reported-by: Jouni Malinen <j@w1.fi> Signed-off-by: Luciano Coelho <coelho@ti.com> [change BUILD_BUG_ON to != 1 (from >= 2)] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
author: Luciano Coelho <coelho@ti.com> 2013-02-12 13:11:38 -0500
committer: Johannes Berg <johannes.berg@intel.com> 2013-02-13 04:14:17 -0500
commit: 6719429dd61cde1fe30d9644d0aa2369eefc9005 (patch)
tree: 5318edf7523b03cb3c34f2824985dc246231a053 /net/wireless
parent: bb92d19983a4b54be3e3b83441a8076d92cd04bc (diff)
1 files changed, 8 insertions, 4 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index b7a167984986..d0fc6da2d097 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -365,14 +365,18 @@ const u8 *cfg80211_find_vendor_ie(unsigned int oui, u8 oui_type,
                if (!pos)
                        return NULL;
-                if (end - pos < sizeof(*ie))
-                        return NULL;
                ie = (struct ieee80211_vendor_ie *)pos;
+                /* make sure we can access ie->len */
+                BUILD_BUG_ON(offsetof(struct ieee80211_vendor_ie, len) != 1);
+                if (ie->len < sizeof(*ie))
+                        goto cont;
                ie_oui = ie->oui[0] << 16 | ie->oui[1] << 8 | ie->oui[2];
                if (ie_oui == oui && ie->oui_type == oui_type)
                        return pos;
+cont:
                pos += 2 + ie->len;
        }
        return NULL;
author	Luciano Coelho <coelho@ti.com>	2013-02-12 13:11:38 -0500
committer	Johannes Berg <johannes.berg@intel.com>	2013-02-13 04:14:17 -0500
commit	6719429dd61cde1fe30d9644d0aa2369eefc9005 (patch)
tree	5318edf7523b03cb3c34f2824985dc246231a053 /net/wireless
parent	bb92d19983a4b54be3e3b83441a8076d92cd04bc (diff)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c index b7a167984986..d0fc6da2d097 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c
@@ -365,14 +365,18 @@ const u8 *cfg80211_find_vendor_ie(unsigned int oui, u8 oui_type,
365	if (!pos)	365	if (!pos)
366	return NULL;	366	return NULL;
367		367
368	if (end - pos < sizeof(*ie))
369	return NULL;
370
371	ie = (struct ieee80211_vendor_ie *)pos;	368	ie = (struct ieee80211_vendor_ie *)pos;
		369
		370	/* make sure we can access ie->len */
		371	BUILD_BUG_ON(offsetof(struct ieee80211_vendor_ie, len) != 1);
		372
		373	if (ie->len < sizeof(*ie))
		374	goto cont;
		375
372	ie_oui = ie->oui[0] << 16 \| ie->oui[1] << 8 \| ie->oui[2];	376	ie_oui = ie->oui[0] << 16 \| ie->oui[1] << 8 \| ie->oui[2];
373	if (ie_oui == oui && ie->oui_type == oui_type)	377	if (ie_oui == oui && ie->oui_type == oui_type)
374	return pos;	378	return pos;
375		379	cont:
376	pos += 2 + ie->len;	380	pos += 2 + ie->len;
377	}	381	}
378	return NULL;	382	return NULL;