[PATCH 3.16 24/25] cfg80211: wext: avoid copying malformed SSIDs

From: Ben Hutchings
Date: Tue Nov 12 2019 - 18:50:53 EST


3.16.77-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Will Deacon <will@xxxxxxxxxx>

commit 4ac2813cc867ae563a1ba5a9414bfb554e5796fa upstream.

Ensure the SSID element is bounds-checked prior to invoking memcpy()
with its length field, when copying to userspace.

Cc: Kees Cook <keescook@xxxxxxxxxxxx>
Reported-by: Nicolas Waisman <nico@xxxxxxxxxx>
Signed-off-by: Will Deacon <will@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20191004095132.15777-2-will@xxxxxxxxxx
[adjust commit log a bit]
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
net/wireless/wext-sme.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/net/wireless/wext-sme.c
+++ b/net/wireless/wext-sme.c
@@ -225,6 +225,7 @@ int cfg80211_mgd_wext_giwessid(struct ne
struct iw_point *data, char *ssid)
{
struct wireless_dev *wdev = dev->ieee80211_ptr;
+ int ret = 0;

/* call only for station! */
if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION))
@@ -242,7 +243,10 @@ int cfg80211_mgd_wext_giwessid(struct ne
if (ie) {
data->flags = 1;
data->length = ie[1];
- memcpy(ssid, ie + 2, data->length);
+ if (data->length > IW_ESSID_MAX_SIZE)
+ ret = -EINVAL;
+ else
+ memcpy(ssid, ie + 2, data->length);
}
rcu_read_unlock();
} else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {
@@ -252,7 +256,7 @@ int cfg80211_mgd_wext_giwessid(struct ne
}
wdev_unlock(wdev);

- return 0;
+ return ret;
}

int cfg80211_mgd_wext_siwap(struct net_device *dev,