From: John Walker <johnwalker0@gmail.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: security@kernel.org, John Walker <johnwalker0@gmail.com>,
w@1wt.eu, linux-wireless@vger.kernel.org
Subject: [PATCH] wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
Date: Thu, 7 May 2026 17:07:20 -0600 [thread overview]
Message-ID: <20260507230720.64783-1-johnwalker0@gmail.com> (raw)
In-Reply-To: <78faec4efa3019c6101ee0a6c329189f1ddf845b.camel@sipsolutions.net>
cfg80211_merge_profile() reassembles a Multi-BSSID non-transmitted BSS
profile that has been split across multiple consecutive MBSSID elements.
Its while-loop calls
cfg80211_get_profile_continuation(ie, ielen, mbssid_elem, sub_elem)
but never advances mbssid_elem or sub_elem inside the body. Each
iteration therefore searches for a continuation that follows the same
fixed pair; the helper returns the same next_mbssid; and the same
next_sub bytes are memcpy()'d into merged_ie at a growing offset until
the buffer fills.
Advance both mbssid_elem and sub_elem to the just-consumed continuation
so the next call to cfg80211_get_profile_continuation() searches for a
further continuation beyond it (or returns NULL when none exists).
A specially-crafted malicious beacon can take advantage of this bug
to cause the kernel to spend an excessive amount of time in
cfg80211_merge_profile (up to as much as 2ms per beacon recieved),
which could theoretically be abused in some way.
Fixes: fe806e4992c9 ("cfg80211: support profile split between elements")
Cc: w@1wt.eu
Cc: linux-wireless@vger.kernel.org
Signed-off-by: John Walker <johnwalker0@gmail.com>
---
net/wireless/scan.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 328af43ef832..358cbc9e43d8 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2462,6 +2462,9 @@ size_t cfg80211_merge_profile(const u8 *ie, size_t ielen,
memcpy(merged_ie + copied_len, next_sub->data,
next_sub->datalen);
copied_len += next_sub->datalen;
+
+ mbssid_elem = next_mbssid;
+ sub_elem = next_sub;
}
return copied_len;
base-commit: fcee7d82f27d6a8b1ddc5bbefda59b4e441e9bc0
--
2.50.1 (Apple Git-155)
parent reply other threads:[~2026-05-07 23:07 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <78faec4efa3019c6101ee0a6c329189f1ddf845b.camel@sipsolutions.net>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260507230720.64783-1-johnwalker0@gmail.com \
--to=johnwalker0@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=security@kernel.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.