diff options
Diffstat (limited to 'package/kernel/mac80211/patches/subsys/356-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch')
-rw-r--r-- | package/kernel/mac80211/patches/subsys/356-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch | 48 |
1 files changed, 0 insertions, 48 deletions
diff --git a/package/kernel/mac80211/patches/subsys/356-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch b/package/kernel/mac80211/patches/subsys/356-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch deleted file mode 100644 index db0e51edc2..0000000000 --- a/package/kernel/mac80211/patches/subsys/356-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Johannes Berg <johannes.berg@intel.com> -Date: Sat, 1 Oct 2022 00:01:44 +0200 -Subject: [PATCH] wifi: cfg80211: avoid nontransmitted BSS list - corruption -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit bcca852027e5878aec911a347407ecc88d6fff7f upstream. - -If a non-transmitted BSS shares enough information (both -SSID and BSSID!) with another non-transmitted BSS of a -different AP, then we can find and update it, and then -try to add it to the non-transmitted BSS list. We do a -search for it on the transmitted BSS, but if it's not -there (but belongs to another transmitted BSS), the list -gets corrupted. - -Since this is an erroneous situation, simply fail the -list insertion in this case and free the non-transmitted -BSS. - -This fixes CVE-2022-42721. - -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - ---- a/net/wireless/scan.c -+++ b/net/wireless/scan.c -@@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg802 - - rcu_read_unlock(); - -+ /* -+ * This is a bit weird - it's not on the list, but already on another -+ * one! The only way that could happen is if there's some BSSID/SSID -+ * shared by multiple APs in their multi-BSSID profiles, potentially -+ * with hidden SSID mixed in ... ignore it. -+ */ -+ if (!list_empty(&nontrans_bss->nontrans_list)) -+ return -EINVAL; -+ - /* add to the list */ - list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); - return 0; |