git: 31b4fa3dbcf1 - stable/13 - net80211: ieee80211_ies_expand() add extra length check

From: Bjoern A. Zeeb <bz_at_FreeBSD.org>
Date: Wed, 21 Sep 2022 14:01:19 UTC 
The branch stable/13 has been updated by bz:

URL: https://cgit.FreeBSD.org/src/commit/?id=31b4fa3dbcf16ca81293efacd38b7d937d1df07e

commit 31b4fa3dbcf16ca81293efacd38b7d937d1df07e
Author:     Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2022-08-17 16:48:37 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2022-09-21 11:46:45 +0000

    net80211: ieee80211_ies_expand() add extra length check
    
    Make sure the given IE length fits into the total length left when
    parsing through the information elements.  In theory I would say
    discard everything if there is an error but that proves hard with
    the current code.
    
    Sponsored by:   The FreeBSD Foundation
    Reviewed by:    adrian
    Differential Revision: https://reviews.freebsd.org/D36245
    
    (cherry picked from commit 9d2ba51806c32e7ea8ad83439cb48df91575b5bf)
---
 sys/net80211/ieee80211_node.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sys/net80211/ieee80211_node.c b/sys/net80211/ieee80211_node.c
index a739b0586088..bc8a240811de 100644
--- a/sys/net80211/ieee80211_node.c
+++ b/sys/net80211/ieee80211_node.c
@@ -1137,6 +1137,14 @@ ieee80211_ies_expand(struct ieee80211_ies *ies)
 	ie = ies->data;
 	ielen = ies->len;
 	while (ielen > 1) {
+		/* Make sure the given IE length fits into the total length. */
+		if ((2 + ie[1]) > ielen) {
+			printf("%s: malformed IEs! ies %p { data %p len %d }: "
+			    "ie %u len 2+%u > total len left %d\n",
+			    __func__, ies, ies->data, ies->len,
+			    ie[0], ie[1], ielen);
+			return;
+		}
 		switch (ie[0]) {
 		case IEEE80211_ELEMID_VENDOR:
 			if (iswpaoui(ie))