The branch main has been updated by bz:
URL:
https://cgit.FreeBSD.org/src/commit/?id=9d2ba51806c32e7ea8ad83439cb48df91575b5bf
commit 9d2ba51806c32e7ea8ad83439cb48df91575b5bf
Author: Bjoern A. Zeeb <b...@freebsd.org>
AuthorDate: 2022-08-17 16:48:37 +0000
Commit: Bjoern A. Zeeb <b...@freebsd.org>
CommitDate: 2022-08-18 20:29:25 +0000
net80211: ieee80211_ies_expand() add extra length check
Make sure the given IE length fits into the total length left when
parsing through the information elements. In theory I would say
discard everything if there is an error but that proves hard with
the current code.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D36245
---
sys/net80211/ieee80211_node.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/sys/net80211/ieee80211_node.c b/sys/net80211/ieee80211_node.c
index a739b0586088..bc8a240811de 100644
--- a/sys/net80211/ieee80211_node.c
+++ b/sys/net80211/ieee80211_node.c
@@ -1137,6 +1137,14 @@ ieee80211_ies_expand(struct ieee80211_ies *ies)
ie = ies->data;
ielen = ies->len;
while (ielen > 1) {
+ /* Make sure the given IE length fits into the total length. */
+ if ((2 + ie[1]) > ielen) {
+ printf("%s: malformed IEs! ies %p { data %p len %d }: "
+ "ie %u len 2+%u > total len left %d\n",
+ __func__, ies, ies->data, ies->len,
+ ie[0], ie[1], ielen);
+ return;
+ }
switch (ie[0]) {
case IEEE80211_ELEMID_VENDOR:
if (iswpaoui(ie))
