git: 87099980a00c - releng/12.3 - net80211: validate Mesh ID length in ieee80211_parse_beacon
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 06 Apr 2022 03:04:50 UTC
The branch releng/12.3 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=87099980a00cc6d785883214bb89df26490c5379
commit 87099980a00cc6d785883214bb89df26490c5379
Author: Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2022-04-05 23:21:44 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-04-05 23:29:29 +0000
net80211: validate Mesh ID length in ieee80211_parse_beacon
Reported by: m00nbsd working with Trend Micro Zero Day Initiative
(cherry picked from commit fb8c87b4f3bfdfac014f9d894fe75fbad0391b24)
(cherry picked from commit 72617f9246e3a4be28eeafeae1bdd983143eef3e)
(cherry picked from commit 8373df6aa0acc70343864075b08507ccea24aa5d)
Approved by: so
Security: CVE-2022-23088
Security: FreeBSD-SA-22:07.wifi_meshid
---
sys/net80211/ieee80211_input.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sys/net80211/ieee80211_input.c b/sys/net80211/ieee80211_input.c
index 5b2d2c15cc12..eaafe9e5c326 100644
--- a/sys/net80211/ieee80211_input.c
+++ b/sys/net80211/ieee80211_input.c
@@ -742,6 +742,12 @@ ieee80211_parse_beacon(struct ieee80211_node *ni, struct mbuf *m,
IEEE80211_VERIFY_LENGTH(scan->csa[1], 3 * sizeof(uint8_t),
scan->status |= IEEE80211_BPARSE_CSA_INVALID);
}
+#ifdef IEEE80211_SUPPORT_MESH
+ if (scan->meshid != NULL) {
+ IEEE80211_VERIFY_ELEMENT(scan->meshid, IEEE80211_MESHID_LEN,
+ scan->status |= IEEE80211_BPARSE_RATES_INVALID);
+ }
+#endif
/*
* Process HT ie's. This is complicated by our
* accepting both the standard ie's and the pre-draft