On Fri, Oct 04, 2019 at 10:51:31AM +0100, Will Deacon wrote:
> Although this shouldn't occur in practice, it's a good idea to bounds
> check the length field of the SSID element prior to using it for things
> like allocations or memcpy operations.
>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Cc: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Reported-by: Nicolas Waisman <nico@xxxxxxxxxx>
> Signed-off-by: Will Deacon <will@xxxxxxxxxx>
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
-Kees
> ---
> net/mac80211/mlme.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> index 26a2f49208b6..54dd8849d1cc 100644
> --- a/net/mac80211/mlme.c
> +++ b/net/mac80211/mlme.c
> @@ -2633,7 +2633,8 @@ struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw,
>
> rcu_read_lock();
> ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID);
> - if (WARN_ON_ONCE(ssid == NULL))
> + if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN,
> + "invalid SSID element (len=%d)", ssid ? ssid[1] : -1))
> ssid_len = 0;
> else
> ssid_len = ssid[1];
> @@ -5233,7 +5234,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
>
> rcu_read_lock();
> ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID);
> - if (!ssidie) {
> + if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) {
> rcu_read_unlock();
> kfree(assoc_data);
> return -EINVAL;
> --
> 2.23.0.581.g78d2f28ef7-goog
>
--
Kees Cook
