wifi: cfg80211/mac80211: reject bad MBSSID elements
Per spec, the maximum value for the MaxBSSID ('n') indicator is 8,
and the minimum is 1 since a multiple BSSID set with just one BSSID
doesn't make sense (the # of BSSIDs is limited by 2^n).
Limit this in the parsing in both cfg80211 and mac80211, rejecting
any elements with an invalid value.
This fixes potentially bad shifts in the processing of these inside
the cfg80211_gen_new_bssid() function later.
I found this during the investigation of CVE-2022-41674 fixed by the
previous patch.
Fixes: 0b8fb823 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Fixes: 78ac51f8 ("mac80211: support multi-bssid")
Reviewed-by: 
Kees Cook <keescook@chromium.org>
Signed-off-by: 
Johannes Berg <johannes.berg@intel.com>
Loading
-
mentioned in commit b67a3abe
-
mentioned in commit d96c2b59
-
mentioned in commit 014d33b9
-
mentioned in commit b6a85ef1
-
mentioned in commit 8ed41785
-
mentioned in commit d7f35ff9
-
mentioned in commit 385f9893
-
mentioned in commit a39862ed
-
mentioned in commit d785419a
-
mentioned in commit 6fbfe3b2
-
mentioned in commit f6121fad
-
mentioned in commit 83270443
-
mentioned in commit 34cdc95b
-
mentioned in commit 00fb271a
-
mentioned in commit bd03d0d6
-
mentioned in commit a0a5b153
-
mentioned in commit 3802e742
Please sign in to comment