radiotap: fix bitmap-end-finding buffer overrun
Evan Huus found (by fuzzing in wireshark) that the radiotap iterator code can access beyond the length of the buffer if the first bitmap claims an extension but then there's no data at all. Fix this. Cc: stable@vger.kernel.org Reported-by: Evan Huus <eapache@gmail.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
parent
4c4d684a55
commit
bd02cd2549
|
@ -124,6 +124,10 @@ int ieee80211_radiotap_iterator_init(
|
|||
/* find payload start allowing for extended bitmap(s) */
|
||||
|
||||
if (iterator->_bitmap_shifter & (1<<IEEE80211_RADIOTAP_EXT)) {
|
||||
if ((unsigned long)iterator->_arg -
|
||||
(unsigned long)iterator->_rtheader + sizeof(uint32_t) >
|
||||
(unsigned long)iterator->_max_length)
|
||||
return -EINVAL;
|
||||
while (get_unaligned_le32(iterator->_arg) &
|
||||
(1 << IEEE80211_RADIOTAP_EXT)) {
|
||||
iterator->_arg += sizeof(uint32_t);
|
||||
|
|
Loading…
Reference in New Issue