git: b2b23824272d - releng/13.0 - net80211: validate Mesh ID length in ieee80211_parse_beacon

Ed Maste Tue, 05 Apr 2022 20:07:56 -0700

The branch releng/13.0 has been updated by emaste:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=b2b23824272dbfbdc99a51237bdeea0216184b81


commit b2b23824272dbfbdc99a51237bdeea0216184b81
Author:     Bjoern A. Zeeb <[email protected]>
AuthorDate: 2022-04-05 23:27:00 +0000
Commit:     Ed Maste <[email protected]>
CommitDate: 2022-04-05 23:27:01 +0000

    net80211: validate Mesh ID length in ieee80211_parse_beacon
    
    Reported by:    m00nbsd working with Trend Micro Zero Day Initiative
    
    (cherry picked from commit fb8c87b4f3bfdfac014f9d894fe75fbad0391b24)
    (cherry picked from commit 72617f9246e3a4be28eeafeae1bdd983143eef3e)
    
    Approved by:    so
    Security:       CVE-2022-23088
    Security:       FreeBSD-SA-22:07.wifi_meshid
---
 sys/net80211/ieee80211_input.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c
index 66a5ba1c4035..2601b4cb9e63 100644
--- a/sys/net80211/ieee80211_input.c
+++ b/sys/net80211/ieee80211_input.c
@@ -742,6 +742,12 @@ ieee80211_parse_beacon(struct ieee80211_node *ni, struct 
mbuf *m,
                IEEE80211_VERIFY_LENGTH(scan->csa[1], 3 * sizeof(uint8_t),
                    scan->status |= IEEE80211_BPARSE_CSA_INVALID);
        }
+#ifdef IEEE80211_SUPPORT_MESH
+       if (scan->meshid != NULL) {
+               IEEE80211_VERIFY_ELEMENT(scan->meshid, IEEE80211_MESHID_LEN,
+                   scan->status |= IEEE80211_BPARSE_RATES_INVALID);
+       }
+#endif
        /*
         * Process HT ie's.  This is complicated by our
         * accepting both the standard ie's and the pre-draft

git: b2b23824272d - releng/13.0 - net80211: validate Mesh ID length in ieee80211_parse_beacon

Reply via email to