From: John Walker <johnwalker0@gmail.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: security@kernel.org, John Walker <johnwalker0@gmail.com>,
w@1wt.eu, linux-wireless@vger.kernel.org
Subject: [PATCH] wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
Date: Thu, 7 May 2026 17:07:20 -0600 [thread overview]
Message-ID: <20260507230720.64783-1-johnwalker0@gmail.com> (raw)
In-Reply-To: <78faec4efa3019c6101ee0a6c329189f1ddf845b.camel@sipsolutions.net>
cfg80211_merge_profile() reassembles a Multi-BSSID non-transmitted BSS
profile that has been split across multiple consecutive MBSSID elements.
Its while-loop calls
cfg80211_get_profile_continuation(ie, ielen, mbssid_elem, sub_elem)
but never advances mbssid_elem or sub_elem inside the body. Each
iteration therefore searches for a continuation that follows the same
fixed pair; the helper returns the same next_mbssid; and the same
next_sub bytes are memcpy()'d into merged_ie at a growing offset until
the buffer fills.
Advance both mbssid_elem and sub_elem to the just-consumed continuation
so the next call to cfg80211_get_profile_continuation() searches for a
further continuation beyond it (or returns NULL when none exists).
A specially-crafted malicious beacon can take advantage of this bug
to cause the kernel to spend an excessive amount of time in
cfg80211_merge_profile (up to as much as 2ms per beacon recieved),
which could theoretically be abused in some way.
Fixes: fe806e4992c9 ("cfg80211: support profile split between elements")
Cc: w@1wt.eu
Cc: linux-wireless@vger.kernel.org
Signed-off-by: John Walker <johnwalker0@gmail.com>
---
net/wireless/scan.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 328af43ef832..358cbc9e43d8 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2462,6 +2462,9 @@ size_t cfg80211_merge_profile(const u8 *ie, size_t ielen,
memcpy(merged_ie + copied_len, next_sub->data,
next_sub->datalen);
copied_len += next_sub->datalen;
+
+ mbssid_elem = next_mbssid;
+ sub_elem = next_sub;
}
return copied_len;
base-commit: fcee7d82f27d6a8b1ddc5bbefda59b4e441e9bc0
--
2.50.1 (Apple Git-155)
parent reply other threads:[~2026-05-07 23:07 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <78faec4efa3019c6101ee0a6c329189f1ddf845b.camel@sipsolutions.net>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260507230720.64783-1-johnwalker0@gmail.com \
--to=johnwalker0@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=security@kernel.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox