wifi: cfg80211: check BSSID Index against MaxBSSID

Add a verification that the BSSID Index does not exceed the maximum
number of BSSIDs in the Multiple-BSSID set.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240318184907.a7574d415adc.I02f40c2920a9f602898190679cc27d0c8ee2c67d@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index b55ffe73e1ef9de823bb6cd2a83228debed043a5..8ac2d19d8edec44d67a95563c07b34a4d923e382 100644 (file)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2447,7 +2447,8 @@ cfg80211_parse_mbssid_data(struct wiphy *wiphy,
                                 profile, profile_len);
                        if (!mbssid_index_ie || mbssid_index_ie[1] < 1 ||
                            mbssid_index_ie[2] == 0 ||
-                           mbssid_index_ie[2] > 46) {
+                           mbssid_index_ie[2] > 46 ||
+                           mbssid_index_ie[2] >= (1 << elem->data[0])) {
                                /* No valid Multiple BSSID-Index element */
                                continue;
                        }