wifi: cfg80211: fix buffer overflow in elem comparison

[ Upstream commit 82597139315f9c7c4e1a98d0405a9e23dcdf4beb ]

For vendor elements, the code here assumes that 5 octets
are present without checking. Since the element itself is
already checked to fit, we only need to check the length.

Reported-and-tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: b397b5577905 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 630c64520516a206bad67662a1d1e2c5f2f1cbb4..c4c124cb5332b753d1278cba881a5e9c0ef69a31 100644 (file)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -291,7 +291,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
                         * determine if they are the same ie.
                         */
                        if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) {
-                               if (!memcmp(tmp_old + 2, tmp + 2, 5)) {
+                               if (tmp_old[1] >= 5 && tmp[1] >= 5 &&
+                                   !memcmp(tmp_old + 2, tmp + 2, 5)) {
                                        /* same vendor ie, copy from
                                         * subelement
                                         */