From nobody Tue Mar 15 18:16:35 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1D5B11A25CCA;
Tue, 15 Mar 2022 18:16:37 +0000 (UTC)
(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4KJ1nc54z6z590K;
Tue, 15 Mar 2022 18:16:35 +0000 (UTC)
(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
t=1647368196;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=cDFsUnKc2I9AKYNQuDpmDIMoGe9Ys92TIbG8/4xx9kc=;
b=jRZ9n+kse1cfCXWNuQtenQpmjRkKv14F6G03oL8V/VtDLcnyHli6SUB+ajUs4FLzbhBd0g
2sDWtbukjwvh1kVvokBsaIZL0XOelvMkTm0E1psXDwJaMbRlGLAyDJKtmdpm8l/yU9pBBi
3WQkeGN4RKLI4jFB8j7NJWeLsCDC3Jp4rJm7jq3H502yv1Bd4N7aRrT7bVpGbjNwsnL6lw
0SLTiYZ6oWbbYAgl0nxrafofSTrkwn3/PAc0sX4FNMJ+8e54H+qZXKoiAKoU8Z2n0xlFMH
AC/ARtnkg68mBfsQgVFH52bh5kJTcjd6Sl6I9qyYRAM0lNIsSgDRrmwCmW60Iw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 7BBF226942;
Tue, 15 Mar 2022 18:16:35 +0000 (UTC)
(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 22FIGZ5e075992;
Tue, 15 Mar 2022 18:16:35 GMT
(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 22FIGZZP075991;
Tue, 15 Mar 2022 18:16:35 GMT
(envelope-from git)
Date: Tue, 15 Mar 2022 18:16:35 GMT
Message-Id: <202203151816.22FIGZZP075991@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: b2107e60f62e - releng/12.2 - net80211: proper ssid length check in setmlme_assoc_adhoc()
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/12.2
X-Git-Reftype: branch
X-Git-Commit: b2107e60f62ed2a232900d77ec54804228d1bfc8
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
s=dkim; t=1647368196;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=cDFsUnKc2I9AKYNQuDpmDIMoGe9Ys92TIbG8/4xx9kc=;
b=MEhFj9wZiTVJkT1Kxi39DgZu00XGsh0n4mCiOAIRXe9Qi6WhgYyqAyEoIdOWlGbwDggd5H
7znBgsfmcwGZJrKK8NqpmaCiRKLl4XoDQasfVVP/54GZSYdD/ShJv5Qbn0nzSwJCtSaFdk
fnAdTDpYlAyWV3slAUEFQMCyZQVPn3beXJxkVVBLjZuC6kVIUYuzeKmkI8x0nJkCDDtaWl
PQxHfzsu3/mAwmuNjGum2EFsdRU4UINKjeTOb4rS0hG9N7S2CY/1Nhbn33c7vhmRXv6ESa
JLEwPSfaRjw7QoPi1ggLyAjPPJWhGDSdAYo43D1O121m9cldngIaNq9ufVU1sQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1647368196; a=rsa-sha256; cv=none;
b=Q5Q3Tumn1AHnTZMVlU3X293T7VbK+3YPzBbtGOAAOsnckP2qGnwQG0HmN84oJa2H/GsbFv
Xic8N4nxjJL1CmSNfaNS4FkfFx/OYu/Ab4tbRBL/KHsUhPHG7PCy5IJDG1la3qmNpTniE+
dW/H4SSn+8JWa0HjnM6heEiMCnJjl7bUdmFmNZ7E00xnV58sDg9njAYQzwfpdpY3/BxEts
qYMDLF8+E8Tu2pH5FwN4ZMIZTzN10bHkOMV/gimCm8zibXfNTuqGA4LF6OAgzJmp1rNQQf
yW23sJw88oNirxRYPndl9HZVBV1xBIfmAL0qI2wmK39486YLS2QWV9lpkcpyUQ==
ARC-Authentication-Results: i=1;
mx1.freebsd.org;
none
X-ThisMailContainsUnwantedMimeParts: N
The branch releng/12.2 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=b2107e60f62ed2a232900d77ec54804228d1bfc8
commit b2107e60f62ed2a232900d77ec54804228d1bfc8
Author: Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2021-10-06 18:41:37 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-03-15 17:39:55 +0000
net80211: proper ssid length check in setmlme_assoc_adhoc()
A user supplied SSID length is used without proper checks in
setmlme_assoc_adhoc() which can lead to copies beyond the end
of the user supplied buffer.
The ssid is a fixed size array for the ioctl and the argument
to setmlme_assoc_adhoc().
In addition to an ssid_len check of 0 also error in case the
ssid_len is larger than the size of the ssid array to prevent
problems.
PR: 254737
Reported by: Tommaso (cutesmilee.research protonmail.com)
(cherry picked from commit 526370fb85db4b659cff4625eb2f379acaa4a1a8)
(cherry picked from commit 0525ece3554edce14fa68a7fb61078ae2110c44b)
(cherry picked from commit ab5678c6c0d0b28feafdb2fd397866d6088f37d8)
(cherry picked from commit f4d0e8787a09f4cdfb856924aaca97f1c78b65b1)
Approved by: so
Security: FreeBSD-SA-22:02.wifi
---
sys/net80211/ieee80211_ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/net80211/ieee80211_ioctl.c b/sys/net80211/ieee80211_ioctl.c
index b5e79f2ef07f..7d5f36dc31cc 100644
--- a/sys/net80211/ieee80211_ioctl.c
+++ b/sys/net80211/ieee80211_ioctl.c
@@ -1595,7 +1595,7 @@ setmlme_assoc_adhoc(struct ieee80211vap *vap,
("expected opmode IBSS or AHDEMO not %s",
ieee80211_opmode_name[vap->iv_opmode]));
- if (ssid_len == 0)
+ if (ssid_len == 0 || ssid_len > IEEE80211_NWID_LEN)
return EINVAL;
sr = IEEE80211_MALLOC(sizeof(*sr), M_TEMP,