Date: Thu, 18 Aug 2022 20:31:44 GMT From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 9d2ba51806c3 - main - net80211: ieee80211_ies_expand() add extra length check Message-ID: <202208182031.27IKViS0083409@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by bz: URL: https://cgit.FreeBSD.org/src/commit/?id=9d2ba51806c32e7ea8ad83439cb48df91575b5bf commit 9d2ba51806c32e7ea8ad83439cb48df91575b5bf Author: Bjoern A. Zeeb <bz@FreeBSD.org> AuthorDate: 2022-08-17 16:48:37 +0000 Commit: Bjoern A. Zeeb <bz@FreeBSD.org> CommitDate: 2022-08-18 20:29:25 +0000 net80211: ieee80211_ies_expand() add extra length check Make sure the given IE length fits into the total length left when parsing through the information elements. In theory I would say discard everything if there is an error but that proves hard with the current code. Sponsored by: The FreeBSD Foundation MFC after: 1 week Reviewed by: adrian Differential Revision: https://reviews.freebsd.org/D36245 --- sys/net80211/ieee80211_node.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sys/net80211/ieee80211_node.c b/sys/net80211/ieee80211_node.c index a739b0586088..bc8a240811de 100644 --- a/sys/net80211/ieee80211_node.c +++ b/sys/net80211/ieee80211_node.c @@ -1137,6 +1137,14 @@ ieee80211_ies_expand(struct ieee80211_ies *ies) ie = ies->data; ielen = ies->len; while (ielen > 1) { + /* Make sure the given IE length fits into the total length. */ + if ((2 + ie[1]) > ielen) { + printf("%s: malformed IEs! ies %p { data %p len %d }: " + "ie %u len 2+%u > total len left %d\n", + __func__, ies, ies->data, ies->len, + ie[0], ie[1], ielen); + return; + } switch (ie[0]) { case IEEE80211_ELEMID_VENDOR: if (iswpaoui(ie))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202208182031.27IKViS0083409>