projects / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ddd7f45)
wifi: cw1200: Avoid processing an invalid TIM IE
authorJeff Johnson <quic_jjohnson@quicinc.com>
Thu, 31 Aug 2023 18:22:57 +0000 (11:22 -0700)
committerKalle Valo <kvalo@kernel.org>
Mon, 18 Sep 2023 14:28:12 +0000 (17:28 +0300)
While converting struct ieee80211_tim_ie::virtual_map to be a flexible
array it was observed that the TIM IE processing in cw1200_rx_cb()
could potentially process a malformed IE in a manner that could result
in a buffer over-read. Add logic to verify that the TIM IE length is
large enough to hold a valid TIM payload before processing it.

Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230831-ieee80211_tim_ie-v3-1-e10ff584ab5d@quicinc.com
drivers/net/wireless/st/cw1200/txrx.c patch | blob | history

diff --git a/drivers/net/wireless/st/cw1200/txrx.c b/drivers/net/wireless/st/cw1200/txrx.c
index 6894b919ff94b563fc437b3c2b23b51987c6fde1..e16e9ae90d20434b175b03e3a7414561e3cd395e 100644 (file)
--- a/drivers/net/wireless/st/cw1200/txrx.c
+++ b/drivers/net/wireless/st/cw1200/txrx.c
@@ -1166,7 +1166,7 @@ void cw1200_rx_cb(struct cw1200_common *priv,
                size_t ies_len = skb->len - (ies - (u8 *)(skb->data));
 
                tim_ie = cfg80211_find_ie(WLAN_EID_TIM, ies, ies_len);
-               if (tim_ie) {
+               if (tim_ie && tim_ie[1] >= sizeof(struct ieee80211_tim_ie)) {
                        struct ieee80211_tim_ie *tim =
                                (struct ieee80211_tim_ie *)&tim_ie[2];
 
ep93xx device tree rework repo: git://git.maquefel.me/linux.git