Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCho, Yu-Chen <acho@suse.com>2019-10-17 15:39:13 +0800
committerDenis Kirjanov <dkirjanov@suse.com>2019-10-17 14:54:09 +0300
commitc19ade2d81438bc58cd4ed8ef27d72ea2fbbbf59 (patch)
treecff686b91d11afd614f33f2ea7f9a54e694e7b45
parent4039846bd3364e673ae2f5f775328365134328da (diff)
cfg80211: wext: avoid copying malformed SSIDs (bsc#1153158
CVE-2019-17133). suse-commit: a8e0acc6a81443d31e7a2cc394daba554d2e5f59
-rw-r--r--net/wireless/wext-sme.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c
index c434f193f39a..5a2fdbd5244c 100644
--- a/net/wireless/wext-sme.c
+++ b/net/wireless/wext-sme.c
@@ -201,6 +201,7 @@ int cfg80211_mgd_wext_giwessid(struct net_device *dev,
struct iw_point *data, char *ssid)
{
struct wireless_dev *wdev = dev->ieee80211_ptr;
+ int ret = 0;
/* call only for station! */
if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION))
@@ -218,7 +219,10 @@ int cfg80211_mgd_wext_giwessid(struct net_device *dev,
if (ie) {
data->flags = 1;
data->length = ie[1];
- memcpy(ssid, ie + 2, data->length);
+ if (data->length > IW_ESSID_MAX_SIZE)
+ ret = -EINVAL;
+ else
+ memcpy(ssid, ie + 2, data->length);
}
rcu_read_unlock();
} else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {
@@ -228,7 +232,7 @@ int cfg80211_mgd_wext_giwessid(struct net_device *dev,
}
wdev_unlock(wdev);
- return 0;
+ return ret;
}
int cfg80211_mgd_wext_siwap(struct net_device *dev,