diff mbox series

[net] wifi: cfg80211: Fix out-of-bounds in cfg80211_wext_siwscan

Message ID 20240623084939.6889-1-aha310510@gmail.com (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series [net] wifi: cfg80211: Fix out-of-bounds in cfg80211_wext_siwscan | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present fail Series targets non-next tree, but doesn't contain any Fixes tags
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 859 this patch: 859
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 3 maintainers not CCed: pabeni@redhat.com kuba@kernel.org edumazet@google.com
netdev/build_clang success Errors and warnings before: 863 this patch: 863
netdev/verify_signedoff fail author Signed-off-by missing
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 863 this patch: 863
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 10 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-06-23--18-00 (tests: 660)

Commit Message

Jeongjun Park June 23, 2024, 8:49 a.m. UTC 
In the process of searching for matching hardware channels, wreq and 
wreq->num_channels are checked to see if they are NULL. However, 
if the value of wreq->num_channels is greater than IW_MAX_FREQUENCIES,
an out-of-bounds vulnerability occurs.

Therefore, you must also add code to check whether the value of 
wreq->num_channels is within the range.

Reguards.

Signed-by-off: Jeongjun Park <aha310510@gmail.com>
---
 net/wireless/scan.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Johannes Berg June 25, 2024, 11:54 a.m. UTC | #1 
On Sun, 2024-06-23 at 17:49 +0900, Jeongjun Park wrote:
> In the process of searching for matching hardware channels, wreq and 
> wreq->num_channels are checked to see if they are NULL. However, 
> if the value of wreq->num_channels is greater than IW_MAX_FREQUENCIES,
> an out-of-bounds vulnerability occurs.
> 
> Therefore, you must also add code to check whether the value of 
> wreq->num_channels is within the range.
> 

This is the same more or less as 

https://msgid.link/20240531032010.451295-1-dmantipov@yandex.ru

no?

johannes
diff mbox series

Patch

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 0222ede0feb6..f253dee041d1 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -3460,6 +3460,10 @@  int cfg80211_wext_siwscan(struct net_device *dev,
 			if (wreq && wreq->num_channels) {
 				int k;
 				int wiphy_freq = wiphy->bands[band]->channels[j].center_freq;
+
+				if (wreq->num_channels > IW_MAX_FREQUENCIES)
+					wreq->num_channels = IW_MAX_FREQUENCIES;
+
 				for (k = 0; k < wreq->num_channels; k++) {
 					struct iw_freq *freq =
 						&wreq->channel_list[k];