mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
radiotap: fix bitmap-end-finding buffer overrun
commit bd02cd2549 upstream.
Evan Huus found (by fuzzing in wireshark) that the radiotap
iterator code can access beyond the length of the buffer if
the first bitmap claims an extension but then there's no
data at all. Fix this.
Reported-by: Evan Huus <eapache@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Johannes Berg
Greg Kroah-Hartman
parent
c89c4dc7c3
commit
a86f1d64f4
1 changed files with 4 additions and 0 deletions
|
|
@ -122,6 +122,10 @@ int ieee80211_radiotap_iterator_init(
|
|||
/* find payload start allowing for extended bitmap(s) */
|
||||
|
||||
if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) {
|
||||
if ((unsigned long)iterator->_arg -
|
||||
(unsigned long)iterator->_rtheader + sizeof(uint32_t) >
|
||||
(unsigned long)iterator->_max_length)
|
||||
return -EINVAL;
|
||||
while (get_unaligned_le32(iterator->_arg) &
|
||||
(1 << IEEE80211_RADIOTAP_EXT)) {
|
||||
iterator->_arg += sizeof(uint32_t);
|
||||
|
|
|
|||
Loading…
Reference in a new issue