From 3f5bc13e783a1e7a9a4c182174e151da559cba37 Mon Sep 17 00:00:00 2001 From: Miri Korenblit Date: Wed, 17 Jul 2024 19:49:31 +0800 Subject: [PATCH] wifi: iwlwifi: mvm: check n_ssids before accessing the ssids mainline inclusion from mainline-v6.10-rc3 commit 60d62757df30b74bf397a2847a6db7385c6ee281 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACZLE CVE: CVE-2024-40929 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=60d62757df30b74bf397a2847a6db7385c6ee281 -------------------------------- In some versions of cfg80211, the ssids poinet might be a valid one even though n_ssids is 0. Accessing the pointer in this case will cuase an out-of-bound access. Fix this by checking n_ssids first. Fixes: c1a7515393e4 ("iwlwifi: mvm: add adaptive dwell support") Signed-off-by: Miri Korenblit Reviewed-by: Ilan Peer Reviewed-by: Johannes Berg Link: https://msgid.link/20240513132416.6e4d1762bf0d.I5a0e6cc8f02050a766db704d15594c61fe583d45@changeid Signed-off-by: Johannes Berg Conflicts: drivers/net/wireless/intel/iwlwifi/mvm/scan.c [The conflict occurs because the commit 19ff9b2c6e3c("iwlwifi: scan: adapt the code to use api ver 11") is not merged] Signed-off-by: Zhengchao Shao --- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c index 11ecdf63b732..fdabc0198b67 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c @@ -1229,7 +1229,7 @@ static void iwl_mvm_scan_umac_dwell(struct iwl_mvm *mvm, if (IWL_MVM_ADWELL_MAX_BUDGET) cmd->v7.adwell_max_budget = cpu_to_le16(IWL_MVM_ADWELL_MAX_BUDGET); - else if (params->ssids && params->ssids[0].ssid_len) + else if (params->n_ssids && params->ssids[0].ssid_len) cmd->v7.adwell_max_budget = cpu_to_le16(IWL_SCAN_ADWELL_MAX_BUDGET_DIRECTED_SCAN); else -- Gitee