Commit bedcd69
committed
wifi: cfg80211: check A-MSDU format more carefully
jira VULN-5183
cve CVE-2024-35937
commit-author Johannes Berg <johannes.berg@intel.com>
commit 9ad7974
upstream-diff |
1. All changes to the `ieee80211_is_valid_amsdu' function were discarded
because it's missing from `ciqlts9_2'.
2. Changes to `ieee80211_amsdu_to_8023s' were adapted to account for the
missing 986e43b from `ciqlts9_2'
history: the `copy_len > remaining' condition was changed to
`sizeof(eth) > remaining', as `sizeof(eth)' is the only possible
value `copy_len' could have assumed in `ciqlts9_2' if it was
introduced without backporting 986e43b (pointless).
If it looks like there's another subframe in the A-MSDU
but the header isn't fully there, we can end up reading
data out of bounds, only to discard later. Make this a
bit more careful and check if the subframe header can
even be present.
Reported-by: syzbot+d050d437fe47d479d210@syzkaller.appspotmail.com
Link: https://msgid.link/20240226203405.a731e2c95e38.I82ce7d8c0cc8970ce29d0a39fdc07f1ffc425be4@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
(cherry picked from commit 9ad7974)
Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>1 parent e7f6aee commit bedcd69
1 file changed
+5
-2
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
757 | 757 | | |
758 | 758 | | |
759 | 759 | | |
760 | | - | |
| 760 | + | |
761 | 761 | | |
762 | 762 | | |
763 | 763 | | |
764 | 764 | | |
765 | 765 | | |
766 | 766 | | |
| 767 | + | |
767 | 768 | | |
768 | 769 | | |
769 | 770 | | |
770 | 771 | | |
| 772 | + | |
| 773 | + | |
| 774 | + | |
771 | 775 | | |
772 | 776 | | |
773 | 777 | | |
774 | 778 | | |
775 | 779 | | |
776 | 780 | | |
777 | | - | |
778 | 781 | | |
779 | 782 | | |
780 | 783 | | |
| |||
0 commit comments