diff options
| author |   John Walker <johnwalker0@gmail.com> | 2026-05-07 17:07:20 -0600 |
|---|---|---|
| committer |   Johannes Berg <johannes.berg@intel.com> | 2026-05-08 09:20:03 +0200 |
| commit | 7666dbb1bacc4ba522b96740cba7283d243d16e1 (patch) | |
| tree | b343057c7bbac6433e41da74f2121d42f49dd961 /tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com | |
| parent | Merge tag 'net-7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net (diff) | |
wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
cfg80211_merge_profile() reassembles a Multi-BSSID non-transmitted BSS
profile that has been split across multiple consecutive MBSSID elements.
Its while-loop calls
cfg80211_get_profile_continuation(ie, ielen, mbssid_elem, sub_elem)
but never advances mbssid_elem or sub_elem inside the body. Each
iteration therefore searches for a continuation that follows the same
fixed pair; the helper returns the same next_mbssid; and the same
next_sub bytes are memcpy()'d into merged_ie at a growing offset until
the buffer fills.
Advance both mbssid_elem and sub_elem to the just-consumed continuation
so the next call to cfg80211_get_profile_continuation() searches for a
further continuation beyond it (or returns NULL when none exists).
A specially-crafted malicious beacon can take advantage of this bug
to cause the kernel to spend an excessive amount of time in
cfg80211_merge_profile (up to as much as 2ms per beacon received),
which could theoretically be abused in some way.
Cc: stable@vger.kernel.org
Fixes: fe806e4992c9 ("cfg80211: support profile split between elements")
Signed-off-by: John Walker <johnwalker0@gmail.com>
Link: https://patch.msgid.link/20260507230720.64783-1-johnwalker0@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions