Johannes Berg e7aa7fd10e wifi: cfg80211/mac80211: reject bad MBSSID elements ...

commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream.

Per spec, the maximum value for the MaxBSSID ('n') indicator is 8,
and the minimum is 1 since a multiple BSSID set with just one BSSID
doesn't make sense (the # of BSSIDs is limited by 2^n).

Limit this in the parsing in both cfg80211 and mac80211, rejecting
any elements with an invalid value.

This fixes potentially bad shifts in the processing of these inside
the cfg80211_gen_new_bssid() function later.

I found this during the investigation of CVE-2022-41674 fixed by the
previous patch.

Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Fixes: 78ac51f81532 ("mac80211: support multi-bssid")
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2022-10-15 07:55:55 +02:00

..

6lowpan

6lowpan: iphc: Fix an off-by-one check of array index

2021-09-15 09:50:34 +02:00

9p

net/9p: Initialize the iounit field during fid creation

2022-08-21 15:16:26 +02:00

802

net/802/garp: fix memleak in garp_request_join()

2021-07-31 08:16:11 +02:00

8021q

net: make free_netdev() more lenient with unregistering devices

2022-07-29 17:19:07 +02:00

appletalk

appletalk: Fix skb allocation size in loopback case

2021-04-07 15:00:08 +02:00

atm

net: atm: fix update of position index in lec_seq_next

2020-10-31 12:26:30 -07:00

ax25

net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg

2022-06-22 14:13:17 +02:00

batman-adv

batman-adv: Don't skb_split skbuffs with frag_list

2022-05-18 10:23:42 +02:00

bluetooth

Bluetooth: L2CAP: Fix build errors in some archs

2022-09-05 10:28:55 +02:00

bpf

bpf: Don't redirect packets with invalid pkt_len

2022-09-05 10:28:56 +02:00

bpfilter

bpfilter: Specify the log level for the kmsg message

2021-07-14 16:56:29 +02:00

bridge

netfilter: ebtables: fix memory leak when blob is malformed

2022-09-28 11:10:36 +02:00

caif

net-caif: avoid user-triggerable WARN_ON(1)

2021-09-22 12:27:56 +02:00

can

can: j1939: j1939_session_destroy(): fix memory leak of skbs

2022-08-25 11:38:23 +02:00

ceph

libceph: fix potential use-after-free on linger ping and resends

2022-05-25 09:17:56 +02:00

core

net: socket: remove register_gifconf

2022-09-28 11:10:35 +02:00

dcb

net: dcb: disable softirqs in dcbnl_flush_dev()

2022-03-08 19:09:37 +01:00

dccp

dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock

2022-08-21 15:15:52 +02:00

decnet

net: Fix data-races around sysctl_[rw]mem(_offset)?.

2022-08-31 17:15:19 +02:00

dns_resolver

…

dsa

net: dsa: Add missing of_node_put() in dsa_port_link_register_of

2022-05-09 09:05:02 +02:00

ethernet

…

ethtool

ethtool: do not perform operations on net devices being unregistered

2021-12-17 10:14:41 +01:00

hsr

net: hsr: fix mac_len checks

2021-06-03 09:00:50 +02:00

ieee802154

net/ieee802154: fix uninit value bug in dgram_sendmsg

2022-10-15 07:55:52 +02:00

ife

…

ipv4

net: socket: remove register_gifconf

2022-09-28 11:10:35 +02:00

ipv6

ipv6: sr: fix out-of-bounds read when setting HMAC data.

2022-09-15 11:32:05 +02:00

iucv

net/af_iucv: remove WARN_ONCE on malformed RX packets

2021-03-07 12:34:05 +01:00

kcm

kcm: fix strp_init() order and cleanup

2022-09-08 11:11:37 +02:00

key

af_key: Do not call xfrm_probe_algs in parallel

2022-08-31 17:15:15 +02:00

l2tp

ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg

2022-06-22 14:13:15 +02:00

l3mdev

l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu

2022-04-27 13:53:50 +02:00

lapb

net: lapb: Copy the skb before sending a packet

2021-02-10 09:29:14 +01:00

llc

llc: only change llc->dev when bind() succeeds

2022-03-28 09:57:10 +02:00

mac80211

wifi: cfg80211/mac80211: reject bad MBSSID elements

2022-10-15 07:55:55 +02:00

mac802154

net: mac802154: Fix a condition in the receive path

2022-09-08 11:11:40 +02:00

mpls

net: Use u64_stats_fetch_begin_irq() for stats fetch.

2022-09-08 11:11:40 +02:00

mptcp

net: Fix data-races around sysctl_[rw]mem(_offset)?.

2022-08-31 17:15:19 +02:00

ncsi

net/ncsi: check for error return from call to nla_put_u32

2022-01-05 12:40:32 +01:00

netfilter

netfilter: nf_tables: fix percpu memory leak at nf_tables_addchain()

2022-09-28 11:10:35 +02:00

netlabel

netlabel: fix out-of-bounds memory accesses

2022-04-13 21:01:00 +02:00

netlink

net: genl: fix error path memory leak in policy dumping

2022-08-25 11:38:07 +02:00

netrom

netrom: fix api breakage in nr_setsockopt()

2022-01-27 10:54:03 +01:00

nfc

NFC: NULL out the dev->rfkill to prevent UAF

2022-06-09 10:21:01 +02:00

nsh

…

openvswitch

net: openvswitch: fix parsing of nw_proto for IPv6 fragments

2022-06-29 08:59:45 +02:00

packet

net/af_packet: check len when min_header_len equals to 0

2022-09-05 10:28:59 +02:00

phonet

phonet: refcount leak in pep_sock_accep

2022-01-11 15:25:01 +01:00

psample

net: psample: Fix netlink skb length with tunnel info

2021-03-07 12:34:07 +01:00

qrtr

qrtr: Convert qrtr_ports from IDR to XArray

2022-08-25 11:38:23 +02:00

rds

rds: add missing barrier to release_refill

2022-08-25 11:37:49 +02:00

rfkill

rfkill: Fix use-after-free in rfkill_resume()

2020-11-12 09:18:06 +01:00

rose

rose: check NULL rose_loopback_neigh->loopback

2022-08-31 17:15:16 +02:00

rxrpc

rxrpc: Fix calc of resend age

2022-09-23 14:16:59 +02:00

sched

net: sched: act_ct: fix possible refcount leak in tcf_ct_init()

2022-10-05 10:38:42 +02:00

sctp

sctp: leave the err path free in sctp_stream_init to sctp_stream_free

2022-08-03 12:00:49 +02:00

smc

net/smc: Stop the CLC flow if no link to map buffers on

2022-09-28 11:10:36 +02:00

strparser

bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding

2021-11-18 14:04:27 +01:00

sunrpc

SUNRPC: RPC level errors should set task->tk_rpc_status

2022-08-31 17:15:15 +02:00

switchdev

net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP

2021-02-07 15:37:12 +01:00

tipc

tipc: fix shift wrapping bug in map_get()

2022-09-15 11:32:05 +02:00

tls

net/tls: Remove the context from the list in tls_device_down

2022-08-03 12:00:46 +02:00

unix

af_unix: Fix a data-race in unix_dgram_peer_wake_me().

2022-06-14 18:32:40 +02:00

vmw_vsock

vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout()

2022-08-25 11:37:59 +02:00

wimax

genetlink: move to smaller ops wherever possible

2020-10-02 19:11:11 -07:00

wireless

wifi: cfg80211/mac80211: reject bad MBSSID elements

2022-10-15 07:55:55 +02:00

x25

net/x25: Fix null-ptr-deref caused by x25_disconnect

2022-04-08 14:40:30 +02:00

xdp

xsk: Inherit need_wakeup flag for shared sockets

2022-10-15 07:55:51 +02:00

xfrm

net: Fix data-races around netdev_max_backlog.

2022-08-31 17:15:19 +02:00

compat.c

net: Return the correct errno code

2021-06-18 10:00:06 +02:00

devres.c

…

Kconfig

drop_monitor: Convert to using devlink tracepoint

2020-09-30 18:01:26 -07:00

Makefile

…

socket.c

net: Fix a data-race around sysctl_somaxconn.

2022-08-31 17:15:21 +02:00

sysctl_net.c

…