wifi: cfg80211: fix buffer overflow in elem comparison

[ Upstream commit 9f16b5c82a025cd4c864737409234ddc44fb166a ] For vendor elements, the code here assumes that 5 octets are present without checking. Since the element itself is already checked to fit, we only need to check the length. Reported-and-tested-by: Sönke Huster <[email protected]> Fixes: 0b8fb82 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Johannes Berg <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
saikiran2001 · Dec 8, 2022 · f5c2ec2 · f5c2ec2
1 parent 0678584
commit f5c2ec2
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
@@ -291,7 +291,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
 			 * determine if they are the same ie.
 			 */
 			if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) {
-				if (!memcmp(tmp_old + 2, tmp + 2, 5)) {
+				if (tmp_old[1] >= 5 && tmp[1] >= 5 &&
+				    !memcmp(tmp_old + 2, tmp + 2, 5)) {
 					/* same vendor ie, copy from
 					 * subelement
 					 */