[PATCH] wifi: cfg80211: advance loop vars in cfg80211_merge_profile()

[PATCH] wifi: cfg80211: advance loop vars in cfg80211_merge_profile()

[John Walker]

cfg80211_merge_profile() reassembles a Multi-BSSID non-transmitted BSS
profile that has been split across multiple consecutive MBSSID elements.
Its while-loop calls

	cfg80211_get_profile_continuation(ie, ielen, mbssid_elem, sub_elem)

but never advances mbssid_elem or sub_elem inside the body.  Each
iteration therefore searches for a continuation that follows the same
fixed pair; the helper returns the same next_mbssid; and the same
next_sub bytes are memcpy()'d into merged_ie at a growing offset until
the buffer fills.

Advance both mbssid_elem and sub_elem to the just-consumed continuation
so the next call to cfg80211_get_profile_continuation() searches for a
further continuation beyond it (or returns NULL when none exists).

A specially-crafted malicious beacon can take advantage of this bug
to cause the kernel to spend an excessive amount of time in 
cfg80211_merge_profile (up to as much as 2ms per beacon recieved),
which could theoretically be abused in some way.

Fixes: fe806e4992c9 ("cfg80211: support profile split between elements")
Cc: w@1wt.eu
Cc: linux-wireless@vger.kernel.org
Signed-off-by: John Walker <johnwalker0@gmail.com>
---
 net/wireless/scan.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 328af43ef832..358cbc9e43d8 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2462,6 +2462,9 @@ size_t cfg80211_merge_profile(const u8 *ie, size_t ielen,
 		memcpy(merged_ie + copied_len, next_sub->data,
 		       next_sub->datalen);
 		copied_len += next_sub->datalen;
+
+		mbssid_elem = next_mbssid;
+		sub_elem = next_sub;
 	}
 
 	return copied_len;

base-commit: fcee7d82f27d6a8b1ddc5bbefda59b4e441e9bc0
-- 
2.50.1 (Apple Git-155)