diff options
| author | Bjoern A. Zeeb <bz@FreeBSD.org> | 2021-10-06 21:09:39 +0300 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2022-03-15 20:45:36 +0300 |
| commit | 0d1db5c3257e7cd1708b21dc4c6b14c9b1a41ec4 (patch) | |
| tree | baa3612852e70b642b2c825be120715a90c89719 | |
| parent | 6eb932a969139b9f42f0ad130bda36f0d709e2a9 (diff) | |
net80211: correct length check in ieee80211_ies_expand()
In ieee80211_ies_expand() we are looping over Elements
(also known as Information Elements or IEs).
The comment suggests that we assume well-formedness of
the IEs themselves.
Checking the buffer length being least 2 (1 byte Element ID and
1 byte Length fields) rather than just 1 before accessing ie[1]
is still good practise and can prevent and out-of-bounds read in
case the input is not behaving according to the comment.
Reported by: (coypu sdf.org)
admbugs: 857
(cherry picked from commit 09dd08f167812a5fdb516fc98f14dbb43221432f)
(cherry picked from commit 32c2c00e3f90d3a01a03ebdf7131c7e300da034c)
Approved by: so
Security: FreeBSD-SA-22:02.wifi
| -rw-r--r-- | sys/net80211/ieee80211_node.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/net80211/ieee80211_node.c b/sys/net80211/ieee80211_node.c index 64a0164aeb81..423d701743bc 100644 --- a/sys/net80211/ieee80211_node.c +++ b/sys/net80211/ieee80211_node.c @@ -1132,7 +1132,7 @@ ieee80211_ies_expand(struct ieee80211_ies *ies) ie = ies->data; ielen = ies->len; - while (ielen > 0) { + while (ielen > 1) { switch (ie[0]) { case IEEE80211_ELEMID_VENDOR: if (iswpaoui(ie)) |