Message ID | 20230831-ieee80211_tim_ie-v3-1-e10ff584ab5d@quicinc.com (mailing list archive) |
---|---|
State | Awaiting Upstream |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | wifi: Fix struct ieee80211_tim_ie::virtual_map | expand |
Context | Check | Description |
---|---|---|
netdev/tree_selection | success | Not a local patch |
Jeff Johnson <quic_jjohnson@quicinc.com> wrote: > While converting struct ieee80211_tim_ie::virtual_map to be a flexible > array it was observed that the TIM IE processing in cw1200_rx_cb() > could potentially process a malformed IE in a manner that could result > in a buffer over-read. Add logic to verify that the TIM IE length is > large enough to hold a valid TIM payload before processing it. > > Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com> Patch applied to wireless-next.git, thanks. b7bcea9c27b3 wifi: cw1200: Avoid processing an invalid TIM IE
diff --git a/drivers/net/wireless/st/cw1200/txrx.c b/drivers/net/wireless/st/cw1200/txrx.c index 6894b919ff94..e16e9ae90d20 100644 --- a/drivers/net/wireless/st/cw1200/txrx.c +++ b/drivers/net/wireless/st/cw1200/txrx.c @@ -1166,7 +1166,7 @@ void cw1200_rx_cb(struct cw1200_common *priv, size_t ies_len = skb->len - (ies - (u8 *)(skb->data)); tim_ie = cfg80211_find_ie(WLAN_EID_TIM, ies, ies_len); - if (tim_ie) { + if (tim_ie && tim_ie[1] >= sizeof(struct ieee80211_tim_ie)) { struct ieee80211_tim_ie *tim = (struct ieee80211_tim_ie *)&tim_ie[2];
While converting struct ieee80211_tim_ie::virtual_map to be a flexible array it was observed that the TIM IE processing in cw1200_rx_cb() could potentially process a malformed IE in a manner that could result in a buffer over-read. Add logic to verify that the TIM IE length is large enough to hold a valid TIM payload before processing it. Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com> --- drivers/net/wireless/st/cw1200/txrx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)