Search Linux Wireless

[PATCH 2/8] iw: scan: fix buffer over-read in print_ies()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch correctly checks, if enough data bytes for parsing IEs are
present (-2 in check for type and length). Furthermore, it adds a
nullptr and length check to ease future fuzzing.

Signed-off-by: Markus Theil <markus.theil@xxxxxxxxxxxxx>
---
 scan.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/scan.c b/scan.c
index a6cb3bb..14138ca 100644
--- a/scan.c
+++ b/scan.c
@@ -2181,7 +2181,10 @@ void print_ies(unsigned char *ie, int ielen, bool unknown,
 		.ie = ie,
 		.ielen = ielen };
 
-	while (ielen >= 2 && ielen >= ie[1]) {
+	if (ie == NULL || ielen < 0)
+		return;
+
+	while (ielen >= 2 && ielen - 2 >= ie[1]) {
 		if (ie[0] < ARRAY_SIZE(ieprinters) &&
 		    ieprinters[ie[0]].name &&
 		    ieprinters[ie[0]].flags & BIT(ptype)) {
-- 
2.25.0




[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux