git: 9d2ba51806c3 - main - net80211: ieee80211_ies_expand() add extra length check

The branch main has been updated by bz:

URL: https://cgit.FreeBSD.org/src/commit/?id=9d2ba51806c32e7ea8ad83439cb48df91575b5bf

commit 9d2ba51806c32e7ea8ad83439cb48df91575b5bf
Author:     Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2022-08-17 16:48:37 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2022-08-18 20:29:25 +0000

    net80211: ieee80211_ies_expand() add extra length check
    
    Make sure the given IE length fits into the total length left when
    parsing through the information elements.  In theory I would say
    discard everything if there is an error but that proves hard with
    the current code.
    
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week
    Reviewed by:    adrian
    Differential Revision: https://reviews.freebsd.org/D36245
---
 sys/net80211/ieee80211_node.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sys/net80211/ieee80211_node.c b/sys/net80211/ieee80211_node.c
index a739b0586088..bc8a240811de 100644
--- a/sys/net80211/ieee80211_node.c
+++ b/sys/net80211/ieee80211_node.c
@@ -1137,6 +1137,14 @@ ieee80211_ies_expand(struct ieee80211_ies *ies)
 	ie = ies->data;
 	ielen = ies->len;
 	while (ielen > 1) {
+		/* Make sure the given IE length fits into the total length. */
+		if ((2 + ie[1]) > ielen) {
+			printf("%s: malformed IEs! ies %p { data %p len %d }: "
+			    "ie %u len 2+%u > total len left %d\n",
+			    __func__, ies, ies->data, ies->len,
+			    ie[0], ie[1], ielen);
+			return;
+		}
 		switch (ie[0]) {
 		case IEEE80211_ELEMID_VENDOR:
 			if (iswpaoui(ie))