linux

mirror of https://github.com/torvalds/linux.git synced 2026-06-07 05:55:44 +02:00

History

Johannes Berg 6aeb3ccf09 UPSTREAM: wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans() commit `aebe9f4639` upstream. In the copy code of the elements, we do the following calculation to reach the end of the MBSSID element: /* copy the IEs after MBSSID */ cpy_len = mbssid[1] + 2; This looks fine, however, cpy_len is a u8, the same as mbssid[1], so the addition of two can overflow. In this case the subsequent memcpy() will overflow the allocated buffer, since it copies 256 bytes too much due to the way the allocation and memcpy() sizes are calculated. Fix this by using size_t for the cpy_len variable. This fixes CVE-2022-41674. Bug: 253641805 Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: `0b8fb8235b` ("cfg80211: Parsing of Multiple BSSID information in scanning") Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I70d3a1188609751797cbabe905028d92d1700f17		2022-10-25 18:14:48 +00:00
..
6lowpan	6lowpan: iphc: Fix an off-by-one check of array index	2021-09-15 09:50:34 +02:00
9p	This is the 5.10.105 stable release	2022-03-18 15:02:06 +01:00
802
8021q	net: make free_netdev() more lenient with unregistering devices	2022-07-29 17:19:07 +02:00
appletalk
atm
ax25	net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg	2022-06-22 14:13:17 +02:00
batman-adv	batman-adv: Don't skb_split skbuffs with frag_list	2022-05-18 10:23:42 +02:00
bluetooth	BACKPORT: Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put	2022-08-04 11:36:30 +00:00
bpf	bpf: Add PROG_TEST_RUN support for sk_lookup programs	2022-08-03 12:00:52 +02:00
bpfilter	ANDROID: GKI: set vfs-only exports into their own namespace	2022-01-11 09:30:47 +01:00
bridge	netfilter: br_netfilter: do not skip all hooks with 0 priority	2022-07-21 21:20:13 +02:00
caif	net-caif: avoid user-triggerable WARN_ON(1)	2021-09-22 12:27:56 +02:00
can	can: bcm: use call_rcu() instead of costly synchronize_rcu()	2022-07-12 16:32:16 +02:00
ceph	libceph: fix potential use-after-free on linger ping and resends	2022-05-25 09:17:56 +02:00
core	Merge tag 'android12-5.10.136_r00' into android12-5.10	2022-09-28 09:54:28 +02:00
dcb	net: dcb: disable softirqs in dcbnl_flush_dev()	2022-03-08 19:09:37 +01:00
dccp	This is the 5.10.121 stable release	2022-07-23 16:10:22 +02:00
decnet
dns_resolver
dsa	net: dsa: Add missing of_node_put() in dsa_port_link_register_of	2022-05-09 09:05:02 +02:00
ethernet
ethtool	ethtool: do not perform operations on net devices being unregistered	2021-12-17 10:14:41 +01:00
hsr
ieee802154	net: ieee802154: Return meaningful error codes from the netlink helpers	2022-02-08 18:30:37 +01:00
ife
ipv4	This is the 5.10.135 stable release	2022-08-04 10:59:03 +02:00
ipv6	This is the 5.10.135 stable release	2022-08-04 10:59:03 +02:00
iucv
kcm
key	This is the 5.10.120 stable release	2022-07-23 16:09:48 +02:00
l2tp	ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg	2022-06-22 14:13:15 +02:00
l3mdev	l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu	2022-04-27 13:53:50 +02:00
lapb
llc	llc: only change llc->dev when bind() succeeds	2022-03-28 09:57:10 +02:00
mac80211	wifi: mac80211: fix queue selection for mesh/OCB interfaces	2022-07-21 21:20:00 +02:00
mac802154
mpls	net: mpls: Fix notifications when deleting a device	2021-12-08 09:03:23 +01:00
mptcp	tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf.	2022-08-03 12:00:45 +02:00
ncsi	net/ncsi: check for error return from call to nla_put_u32	2022-01-05 12:40:32 +01:00
netfilter	This is the 5.10.135 stable release	2022-08-04 10:59:03 +02:00
netlabel	netlabel: fix out-of-bounds memory accesses	2022-04-13 21:01:00 +02:00
netlink	netlink: do not reset transport header in netlink_recvmsg()	2022-05-18 10:23:43 +02:00
netrom	netrom: fix api breakage in nr_setsockopt()	2022-01-27 10:54:03 +01:00
nfc	NFC: NULL out the dev->rfkill to prevent UAF	2022-06-09 10:21:01 +02:00
nsh
openvswitch	net: openvswitch: fix parsing of nw_proto for IPv6 fragments	2022-06-29 08:59:45 +02:00
packet	BACKPORT: net/packet: fix slab-out-of-bounds access in packet_recvmsg()	2022-04-28 13:02:55 +00:00
phonet	phonet: refcount leak in pep_sock_accep	2022-01-11 15:25:01 +01:00
psample
qrtr	net: qrtr: fix another OOB Read in qrtr_endpoint_post	2021-09-03 10:09:21 +02:00
rds	rds: memory leak in __rds_conn_create()	2021-12-22 09:30:54 +01:00
rfkill
rose	net: rose: fix UAF bug caused by rose_t0timer_expiry	2022-07-12 16:32:17 +02:00
rxrpc	rxrpc: Fix decision on when to generate an IDLE ACK	2022-06-09 10:21:12 +02:00
sched	This is the 5.10.129 stable release	2022-07-28 16:55:29 +02:00
sctp	This is the 5.10.135 stable release	2022-08-04 10:59:03 +02:00
smc	tcp: Fix data-races around keepalive sysctl knobs.	2022-07-29 17:19:16 +02:00
strparser	bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding	2021-11-18 14:04:27 +01:00
sunrpc	This is the 5.10.129 stable release	2022-07-28 16:55:29 +02:00
switchdev
tipc	This is the 5.10.132 stable release	2022-07-28 17:17:55 +02:00
tls	net/tls: Remove the context from the list in tls_device_down	2022-08-03 12:00:46 +02:00
unix	This is the 5.10.122 stable release	2022-07-28 15:05:26 +02:00
vmw_vsock	Revert "vsock: each transport cycles only on its own sockets"	2022-03-23 14:30:38 +01:00
wimax
wireless	UPSTREAM: wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()	2022-10-25 18:14:48 +00:00
x25	net/x25: Fix null-ptr-deref caused by x25_disconnect	2022-04-08 14:40:30 +02:00
xdp	xsk: Clear page contiguity bit when unmapping pool	2022-07-12 16:32:21 +02:00
xfrm	This is the 5.10.134 stable release	2022-08-03 12:42:13 +02:00
compat.c
devres.c
Kconfig
Makefile
socket.c	Merge 5.10.67 into android12-5.10-lts	2021-09-30 12:21:03 +02:00
sysctl_net.c