Home Home > GIT Browse > SLE15-SP1-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCho, Yu-Chen <acho@suse.com>2019-10-17 15:39:13 +0800
committerCho, Yu-Chen <acho@suse.com>2019-10-17 15:39:13 +0800
commitb79905569d3d6e153c76d07beab0637a58794888 (patch)
treef46b7b0475cdf4034d5c3c09bfd6189460354709
parent5817409c16841c573a7193f9a49aff8470678311 (diff)
cfg80211: wext: avoid copying malformed SSIDs (bsc#1153158
CVE-2019-17133). suse-commit: 5f20deadda7c451d1c2541ac482c9ed26e3daf3c
-rw-r--r--net/wireless/wext-sme.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c
index c434f193f39a..5a2fdbd5244c 100644
--- a/net/wireless/wext-sme.c
+++ b/net/wireless/wext-sme.c
@@ -201,6 +201,7 @@ int cfg80211_mgd_wext_giwessid(struct net_device *dev,
struct iw_point *data, char *ssid)
{
struct wireless_dev *wdev = dev->ieee80211_ptr;
+ int ret = 0;
/* call only for station! */
if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION))
@@ -218,7 +219,10 @@ int cfg80211_mgd_wext_giwessid(struct net_device *dev,
if (ie) {
data->flags = 1;
data->length = ie[1];
- memcpy(ssid, ie + 2, data->length);
+ if (data->length > IW_ESSID_MAX_SIZE)
+ ret = -EINVAL;
+ else
+ memcpy(ssid, ie + 2, data->length);
}
rcu_read_unlock();
} else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {
@@ -228,7 +232,7 @@ int cfg80211_mgd_wext_giwessid(struct net_device *dev,
}
wdev_unlock(wdev);
- return 0;
+ return ret;
}
int cfg80211_mgd_wext_siwap(struct net_device *dev,