UPSTREAM: cfg80211: validate SSID/MBSSID element ordering assumption

The code copying the data assumes that the SSID element is before the MBSSID element, but since the data is untrusted from the AP, this cannot be guaranteed. Validate that this is indeed the case and ignore the MBSSID otherwise, to avoid having to deal with both cases for the copy of data that should be between them. Cc: stable@vger.kernel.org Fixes: 0b8fb8235b ("cfg80211: Parsing of Multiple BSSID information in scanning") Link: https://lore.kernel.org/r/1569009255-I1673911f5eae02964e21bdc11b2bf58e5e207e59@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> (cherry picked from commit 242b0931c1) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I14b367dd9a100ec688dd1d718d1f6429f83e2a6c
2026-06-07 03:15:31 +09:00 · 2019-09-20 21:54:18 +02:00
parent 650d5657c2
commit 2d44a033d4
1 changed files with 6 additions and 1 deletions
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1555,7 +1555,12 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
 		return;
 	new_ie_len -= trans_ssid[1];
 	mbssid = cfg80211_find_ie(WLAN_EID_MULTIPLE_BSSID, ie, ielen);
-	if (!mbssid)
+	/*
+	 * It's not valid to have the MBSSID element before SSID
+	 * ignore if that happens - the code below assumes it is
+	 * after (while copying things inbetween).
+	 */
+	if (!mbssid || mbssid < trans_ssid)
 		return;
 	new_ie_len -= mbssid[1];
 	rcu_read_lock();