From nobody Wed Sep 21 14:01:19 2022 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MXg7N2FZVz4cY2d; Wed, 21 Sep 2022 14:01:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MXg7M5tfKz49NV; Wed, 21 Sep 2022 14:01:19 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1663768879; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SxyagsiA/WuUsnzhEkPTqRdnwg08Z6ZzPc8qPYySyFM=; b=geqraqULV7c6KM9lXZ8E2yeVf6MiIudITyfe9/xwBZFLmZG3fyFE5HhcFQ10nr1ZyJut5n DEzvEIlIBlHEpLyvrf6rqPxXlE253TrqjgOerJM/DDSb3u0wkurjHZeZ9el/sNGRqKOj7K BlgWUI6o4FATGbvdjpVIwe9elkjVERp89ceV9gLMSC3WgQVaQwo4P0E1pu70CH7qXTTrjk kc0MyZ7LlMVn2ubwVgwXqcpsVmf6CL+GqKNN/wdrWXq7yk2yHum3W9e/+xAznpelTdgfxZ Gzf/q2j1fwMld122UeZkSxlwij8tkeizsOH/W1guy29/yir0BfSNT46EPjmxfw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MXg7M50Ykz153P; Wed, 21 Sep 2022 14:01:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 28LE1J4C099893; Wed, 21 Sep 2022 14:01:19 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 28LE1Jhu099892; Wed, 21 Sep 2022 14:01:19 GMT (envelope-from git) Date: Wed, 21 Sep 2022 14:01:19 GMT Message-Id: <202209211401.28LE1Jhu099892@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: "Bjoern A. Zeeb" Subject: git: 31b4fa3dbcf1 - stable/13 - net80211: ieee80211_ies_expand() add extra length check List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bz X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 31b4fa3dbcf16ca81293efacd38b7d937d1df07e Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1663768879; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SxyagsiA/WuUsnzhEkPTqRdnwg08Z6ZzPc8qPYySyFM=; b=BQSVaADPj0cy7woD9h4eNhznnQfA3rijc/xgNehnuu08nbE1mhOarvPeqIscLqW2f/C22/ ZzZlGlOYi1jAzMoEQVh2Y+/d4t8Sj80lNOWp2VNy1lCzOZQk4ZUYY2mOf2Fxu71KBDF6Yi VejFGRqz8lyyxcjq9revytiMyZmlA5jNShU215mQ9SS/Js69qeMcUhyVFX5caj8809/llm baxgaEaPp98ptSJwWf444/Ypjn+qv1WKMjgvj2Vy3jx4zMaz2k6zlX8YNwxMVvOf1u1sIq GrukwVOB1TB/Dwr6d8FtalBSlmisVbLw2Xe1SqMRZG9f+XuZMsvE3mT2vbCYGA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1663768879; a=rsa-sha256; cv=none; b=x5l3QLbugQdW4stsC0w8xN8Ob3ogxyp6EE+F37bV2oeZp7aVrAsPi00C8E0Vpu6R50wEYm ySTjnXwCFPNsKXB7VoYnaOG5JRQt894KHPpcMF7tE3P/ZqnKKDi/s0bqk5lQhOQPjBsI3H 51vO/fa1kV1O9Bdr5jKDEbMoqv37eyKmGKdfor1XRBBWctdMwDHs4PuLiT2REKl8IiZSwe WpTZweGgPqqa1WbO5MTklbmUN8XHTpfM9vsEW6H+QnsPclWTYCTCVj8G0lGwvaMaFoMzLc c5fH7zwV5h0t4V4MKrW1b9XRrLTRuuAR032HNv4KVOm1VZCAIleMBrQ8dyFKvw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by bz: URL: https://cgit.FreeBSD.org/src/commit/?id=31b4fa3dbcf16ca81293efacd38b7d937d1df07e commit 31b4fa3dbcf16ca81293efacd38b7d937d1df07e Author: Bjoern A. Zeeb AuthorDate: 2022-08-17 16:48:37 +0000 Commit: Bjoern A. Zeeb CommitDate: 2022-09-21 11:46:45 +0000 net80211: ieee80211_ies_expand() add extra length check Make sure the given IE length fits into the total length left when parsing through the information elements. In theory I would say discard everything if there is an error but that proves hard with the current code. Sponsored by: The FreeBSD Foundation Reviewed by: adrian Differential Revision: https://reviews.freebsd.org/D36245 (cherry picked from commit 9d2ba51806c32e7ea8ad83439cb48df91575b5bf) --- sys/net80211/ieee80211_node.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sys/net80211/ieee80211_node.c b/sys/net80211/ieee80211_node.c index a739b0586088..bc8a240811de 100644 --- a/sys/net80211/ieee80211_node.c +++ b/sys/net80211/ieee80211_node.c @@ -1137,6 +1137,14 @@ ieee80211_ies_expand(struct ieee80211_ies *ies) ie = ies->data; ielen = ies->len; while (ielen > 1) { + /* Make sure the given IE length fits into the total length. */ + if ((2 + ie[1]) > ielen) { + printf("%s: malformed IEs! ies %p { data %p len %d }: " + "ie %u len 2+%u > total len left %d\n", + __func__, ies, ies->data, ies->len, + ie[0], ie[1], ielen); + return; + } switch (ie[0]) { case IEEE80211_ELEMID_VENDOR: if (iswpaoui(ie))