Commit a86f1d64 authored by Johannes Berg's avatar Johannes Berg Committed by Greg Kroah-Hartman

radiotap: fix bitmap-end-finding buffer overrun

commit bd02cd25 upstream.

Evan Huus found (by fuzzing in wireshark) that the radiotap
iterator code can access beyond the length of the buffer if
the first bitmap claims an extension but then there's no
data at all. Fix this.
Reported-by: default avatarEvan Huus <eapache@gmail.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent c89c4dc7
...@@ -122,6 +122,10 @@ int ieee80211_radiotap_iterator_init( ...@@ -122,6 +122,10 @@ int ieee80211_radiotap_iterator_init(
/* find payload start allowing for extended bitmap(s) */ /* find payload start allowing for extended bitmap(s) */
if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) { if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) {
if ((unsigned long)iterator->_arg -
(unsigned long)iterator->_rtheader + sizeof(uint32_t) >
(unsigned long)iterator->_max_length)
return -EINVAL;
while (get_unaligned_le32(iterator->_arg) & while (get_unaligned_le32(iterator->_arg) &
(1 << IEEE80211_RADIOTAP_EXT)) { (1 << IEEE80211_RADIOTAP_EXT)) {
iterator->_arg += sizeof(uint32_t); iterator->_arg += sizeof(uint32_t);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment