This is a note to let you know that I've just added the patch titled
wifi: cfg80211: fix buffer overflow in elem comparison
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit a4d4baf182cff84a3c75cc6fa04d857dc35a9be1
Author: Johannes Berg <johannes.berg@xxxxxxxxx>
Date: Fri Nov 25 12:36:57 2022 +0100
wifi: cfg80211: fix buffer overflow in elem comparison
[ Upstream commit 9f16b5c82a025cd4c864737409234ddc44fb166a ]
For vendor elements, the code here assumes that 5 octets
are present without checking. Since the element itself is
already checked to fit, we only need to check the length.
Reported-and-tested-by: Sönke Huster <shuster@xxxxxxxxxxxxxxxxxxxxxx>
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 15119c49c093..8102ee7b2047 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -330,7 +330,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
* determine if they are the same ie.
*/
if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) {
- if (!memcmp(tmp_old + 2, tmp + 2, 5)) {
+ if (tmp_old[1] >= 5 && tmp[1] >= 5 &&
+ !memcmp(tmp_old + 2, tmp + 2, 5)) {
/* same vendor ie, copy from
* subelement
*/
