iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Johannes Berg 77bb20ccb9 wifi: cfg80211: avoid nontransmitted BSS list corruption 
commit bcca852027e5878aec911a347407ecc88d6fff7f upstream.

If a non-transmitted BSS shares enough information (both
SSID and BSSID!) with another non-transmitted BSS of a
different AP, then we can find and update it, and then
try to add it to the non-transmitted BSS list. We do a
search for it on the transmitted BSS, but if it's not
there (but belongs to another transmitted BSS), the list
gets corrupted.

Since this is an erroneous situation, simply fail the
list insertion in this case and free the non-transmitted
BSS.

This fixes CVE-2022-42721.

Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-10-15 07:54:41 +02:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:47:31 +02:00
9p
net/9p: Initialize the iounit field during fid creation
2022-08-25 11:18:17 +02:00
802
net/802/garp: fix memleak in garp_request_join()
2021-07-31 08:19:38 +02:00
8021q
net: vlan: fix underflow for the real_dev refcnt
2021-12-01 09:23:34 +01:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 14:47:41 +02:00
atm
atm: fix a memory leak of vcc->user_back
2020-10-01 13:17:58 +02:00
ax25
ax25: Fix UAF bugs in ax25 timers
2022-04-20 09:19:40 +02:00
batman-adv
batman-adv: Don't skb_split skbuffs with frag_list
2022-05-18 09:47:24 +02:00
bluetooth
Bluetooth: L2CAP: Fix build errors in some archs
2022-09-05 10:27:45 +02:00
bpf
bpf: Don't redirect packets with invalid pkt_len
2022-09-05 10:27:46 +02:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:53:33 +02:00
bridge
netfilter: ebtables: fix memory leak when blob is malformed
2022-09-28 11:04:07 +02:00
caif
net-caif: avoid user-triggerable WARN_ON(1)
2021-09-22 12:26:40 +02:00
can
can: j1939: j1939_session_destroy(): fix memory leak of skbs
2022-08-25 11:18:39 +02:00
ceph
libceph: clear con->out_msg on Policy::stateful_server faults
2020-11-05 11:43:34 +01:00
core
net: neigh: don't call kfree_skb() under spin_lock_irqsave()
2022-09-05 10:27:48 +02:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:07:51 +01:00
dccp
dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock
2022-08-25 11:17:49 +02:00
decnet
net: decnet: Fix sleeping inside in af_decnet
2021-07-28 13:30:56 +02:00
dns_resolver
KEYS: Don't write out to userspace while holding key semaphore
2020-04-23 10:36:45 +02:00
dsa
net: dsa: Add missing of_node_put() in dsa_port_parse_of
2022-03-23 09:12:07 +01:00
ethernet
hsr
hsr: use netdev_err() instead of WARN_ONCE()
2021-05-14 09:44:10 +02:00
ieee802154
net/ieee802154: fix uninit value bug in dgram_sendmsg
2022-10-15 07:54:37 +02:00
ife
ipv4
tcp: fix early ETIMEDOUT after spurious non-SACK RTO
2022-09-15 12:04:56 +02:00
ipv6
ipv6: sr: fix out-of-bounds read when setting HMAC data.
2022-09-15 12:04:55 +02:00
iucv
net/af_iucv: remove WARN_ONCE on malformed RX packets
2021-03-07 12:20:42 +01:00
kcm
kcm: fix strp_init() order and cleanup
2022-09-15 12:04:50 +02:00
key
af_key: Do not call xfrm_probe_algs in parallel
2022-09-05 10:27:40 +02:00
l2tp
ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg
2022-06-22 14:11:21 +02:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:50:47 +02:00
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:25:28 +01:00
llc
llc: only change llc->dev when bind() succeeds
2022-03-28 08:46:48 +02:00
mac80211
wifi: cfg80211/mac80211: reject bad MBSSID elements
2022-10-15 07:54:40 +02:00
mac802154
net: mac802154: Fix a condition in the receive path
2022-09-15 12:04:53 +02:00
mpls
net: mpls: Fix notifications when deleting a device
2021-12-08 09:01:12 +01:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:37:45 +01:00
netfilter
netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()
2022-09-28 11:04:05 +02:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-15 14:18:35 +02:00
netlink
netlink: do not reset transport header in netlink_recvmsg()
2022-05-18 09:47:25 +02:00
netrom
netrom: Decrease sock refcount when sock timers expire
2021-07-28 13:30:56 +02:00
nfc
NFC: NULL out the dev->rfkill to prevent UAF
2022-06-14 18:11:33 +02:00
nsh
openvswitch
net: openvswitch: fix parsing of nw_proto for IPv6 fragments
2022-06-29 08:58:44 +02:00
packet
net/af_packet: check len when min_header_len equals to 0
2022-09-05 10:27:48 +02:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:23:33 +01:00
psample
qrtr
net: qrtr: fix another OOB Read in qrtr_endpoint_post
2021-09-03 10:08:12 +02:00
rds
rds: add missing barrier to release_refill
2022-08-25 11:18:18 +02:00
rfkill
rfkill: Fix use-after-free in rfkill_resume()
2020-11-24 13:29:05 +01:00
rose
rose: check NULL rose_loopback_neigh->loopback
2022-09-05 10:27:40 +02:00
rxrpc
rxrpc: Fix calc of resend age
2022-09-28 11:03:58 +02:00
sched
net: sched: fix possible refcount leak in tc_new_tfilter()
2022-09-28 11:04:07 +02:00
sctp
sctp: leave the err path free in sctp_stream_init to sctp_stream_free
2022-08-03 11:59:41 +02:00
smc
net/smc: Remove redundant refcount increase
2022-09-15 12:04:50 +02:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-17 09:48:48 +01:00
sunrpc
SUNRPC: RPC level errors should set task->tk_rpc_status
2022-09-05 10:27:40 +02:00
switchdev
net: switchdev: do not propagate bridge updates across bridges
2021-10-27 09:54:24 +02:00
tipc
tipc: fix shift wrapping bug in map_get()
2022-09-15 12:04:55 +02:00
tls
net/tls: Fix race in TLS device down flow
2022-07-29 17:14:12 +02:00
unix
af_unix: Fix a data-race in unix_dgram_peer_wake_me().
2022-06-14 18:11:57 +02:00
vmw_vsock
vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout()
2022-08-25 11:18:25 +02:00
wimax
wireless
wifi: cfg80211: avoid nontransmitted BSS list corruption
2022-10-15 07:54:41 +02:00
x25
net/x25: Fix null-ptr-deref caused by x25_disconnect
2022-04-15 14:18:21 +02:00
xdp
Revert "xsk: Do not sleep in poll() when need_wakeup set"
2021-12-22 09:29:40 +01:00
xfrm
xfrm: fix refcount leak in __xfrm_policy_check()
2022-09-05 10:27:39 +02:00
compat.c
net: Return the correct errno code
2021-06-18 09:59:00 +02:00
Kconfig
net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build
2020-04-01 11:02:18 +02:00
Makefile
socket.c
net: Fix a data-race around sysctl_somaxconn.
2022-09-05 10:27:42 +02:00
sysctl_net.c