wlan-ap-Telecominfraproject/feeds/ipq95xx/mac80211/patches/qca/696-UPSTREAM-cfg80211-fix-u8-overflow-in-cfg80211_update.patch

From 367066d93f9687d9a6274c7c02f1a607324f8115 Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@intel.com>
Date: Tue, 29 Nov 2022 19:04:12 +0530
Subject: [PATCH 1/6] UPSTREAM: cfg80211: fix u8 overflow in
 cfg80211_update_notlisted_nontrans()

In the copy code of the elements, we do the following calculation
to reach the end of the MBSSID element:

	/* copy the IEs after MBSSID */
	cpy_len = mbssid[1] + 2;

This looks fine, however, cpy_len is a u8, the same as mbssid[1],
so the addition of two can overflow. In this case the subsequent
memcpy() will overflow the allocated buffer, since it copies 256
bytes too much due to the way the allocation and memcpy() sizes
are calculated.

Fix this by using size_t for the cpy_len variable.

This fixes CVE-2022-41674.

(Cherry picked from commit:aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d)
(Source:https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless.git)
(Link: https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless.git/
commit/?id=aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d)

Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ganesh Babu Jothiram <quic_gjothira@quicinc.com>
---
 net/wireless/scan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index fcd9c2f..032cb6d 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2279,7 +2279,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
 	size_t new_ie_len;
 	struct cfg80211_bss_ies *new_ies;
 	const struct cfg80211_bss_ies *old;
-	u8 cpy_len;
+	size_t cpy_len;
 
 	lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
 
-- 
2.17.1