diff options
Diffstat (limited to 'package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch')
-rw-r--r-- | package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch | 41 |
1 files changed, 0 insertions, 41 deletions
diff --git a/package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch b/package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch deleted file mode 100644 index 9e1f781367..0000000000 --- a/package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Johannes Berg <johannes.berg@intel.com> -Date: Wed, 28 Sep 2022 21:56:15 +0200 -Subject: [PATCH] wifi: cfg80211: fix u8 overflow in - cfg80211_update_notlisted_nontrans() - -commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream. - -In the copy code of the elements, we do the following calculation -to reach the end of the MBSSID element: - - /* copy the IEs after MBSSID */ - cpy_len = mbssid[1] + 2; - -This looks fine, however, cpy_len is a u8, the same as mbssid[1], -so the addition of two can overflow. In this case the subsequent -memcpy() will overflow the allocated buffer, since it copies 256 -bytes too much due to the way the allocation and memcpy() sizes -are calculated. - -Fix this by using size_t for the cpy_len variable. - -This fixes CVE-2022-41674. - -Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> -Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") -Reviewed-by: Kees Cook <keescook@chromium.org> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - ---- a/net/wireless/scan.c -+++ b/net/wireless/scan.c -@@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struc - size_t new_ie_len; - struct cfg80211_bss_ies *new_ies; - const struct cfg80211_bss_ies *old; -- u8 cpy_len; -+ size_t cpy_len; - - lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock); - |