wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()
In the copy code of the elements, we do the following calculation to reach the end of the MBSSID element: /* copy the IEs after MBSSID */ cpy_len = mbssid[1] + 2; This looks fine, however, cpy_len is a u8, the same as mbssid[1], so the addition of two can overflow. In this case the subsequent memcpy() will overflow the allocated buffer, since it copies 256 bytes too much due to the way the allocation and memcpy() sizes are calculated. Fix this by using size_t for the cpy_len variable. This fixes CVE-2022-41674. Reported-by:Soenke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by:
Kees Cook <keescook@chromium.org> Signed-off-by:
Johannes Berg <johannes.berg@intel.com>
Loading
-
mentioned in commit 5d9abdf8
-
mentioned in commit 9e804aa4
-
mentioned in commit 854b7643
-
mentioned in commit 1037963b
-
mentioned in commit 85a49758
-
mentioned in commit d91adbe9
-
mentioned in commit 34c28a3d
-
mentioned in commit 1f5251dd
-
mentioned in commit 33989164
-
mentioned in commit a28fe5b8
-
mentioned in commit 973252ac
-
mentioned in commit b84e99d5
-
mentioned in commit 745ce4bb
-
mentioned in commit 0e8d624c
-
mentioned in commit 4ae8e2c2
-
mentioned in commit bcd42dc3
-
mentioned in commit 6ce3b55a
-
mentioned in commit 2b399579
-
mentioned in commit 5813b11d
-
mentioned in commit 3e8b6388
-
mentioned in commit 03705db9
-
mentioned in commit 0d54fcac
-
mentioned in commit 76ffb2a6
-
mentioned in commit 33d15944
-
mentioned in commit 9bd2be88
-
mentioned in commit 7cf7c12d
-
mentioned in commit 70a2873c
-
mentioned in commit ec4779be
-
mentioned in commit d770cfa7
-
mentioned in commit 2e90a425
-
mentioned in commit 9b66bdca
-
mentioned in commit c66e72ba
Please sign in to comment