| Message ID | 20191004095132.15777-1-will@kernel.org (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Johannes Berg |
| Headers | show |
| Series | [1/2] mac80211: Reject malformed SSID elements | expand |
On Fri, Oct 04, 2019 at 10:51:31AM +0100, Will Deacon wrote: > Although this shouldn't occur in practice, it's a good idea to bounds > check the length field of the SSID element prior to using it for things > like allocations or memcpy operations. > > Cc: <stable@vger.kernel.org> > Cc: Johannes Berg <johannes@sipsolutions.net> > Cc: Kees Cook <keescook@chromium.org> > Reported-by: Nicolas Waisman <nico@semmle.com> > Signed-off-by: Will Deacon <will@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> -Kees > --- > net/mac80211/mlme.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c > index 26a2f49208b6..54dd8849d1cc 100644 > --- a/net/mac80211/mlme.c > +++ b/net/mac80211/mlme.c > @@ -2633,7 +2633,8 @@ struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw, > > rcu_read_lock(); > ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID); > - if (WARN_ON_ONCE(ssid == NULL)) > + if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN, > + "invalid SSID element (len=%d)", ssid ? ssid[1] : -1)) > ssid_len = 0; > else > ssid_len = ssid[1]; > @@ -5233,7 +5234,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata, > > rcu_read_lock(); > ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID); > - if (!ssidie) { > + if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) { > rcu_read_unlock(); > kfree(assoc_data); > return -EINVAL; > -- > 2.23.0.581.g78d2f28ef7-goog >
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 26a2f49208b6..54dd8849d1cc 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -2633,7 +2633,8 @@ struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw, rcu_read_lock(); ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID); - if (WARN_ON_ONCE(ssid == NULL)) + if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN, + "invalid SSID element (len=%d)", ssid ? ssid[1] : -1)) ssid_len = 0; else ssid_len = ssid[1]; @@ -5233,7 +5234,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata, rcu_read_lock(); ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID); - if (!ssidie) { + if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) { rcu_read_unlock(); kfree(assoc_data); return -EINVAL;
Although this shouldn't occur in practice, it's a good idea to bounds check the length field of the SSID element prior to using it for things like allocations or memcpy operations. Cc: <stable@vger.kernel.org> Cc: Johannes Berg <johannes@sipsolutions.net> Cc: Kees Cook <keescook@chromium.org> Reported-by: Nicolas Waisman <nico@semmle.com> Signed-off-by: Will Deacon <will@kernel.org> --- net/mac80211/mlme.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)