wifi: wilc1000: validate pairwise and authentication suite offsets

There is no validation of 'offset' which can trigger an out-of-bounds
read when extracting RSN capabilities.

Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221123153543.8568-2-philipturnbull@github.com

diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c
index eb1d1ba..67df822 100644 (file)
--- a/drivers/net/wireless/microchip/wilc1000/hif.c
+++ b/drivers/net/wireless/microchip/wilc1000/hif.c
@@ -482,14 +482,25 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss,
 
        rsn_ie = cfg80211_find_ie(WLAN_EID_RSN, ies->data, ies->len);
        if (rsn_ie) {
+               int rsn_ie_len = sizeof(struct element) + rsn_ie[1];
                int offset = 8;
 
-               param->mode_802_11i = 2;
-               param->rsn_found = true;
                /* extract RSN capabilities */
-               offset += (rsn_ie[offset] * 4) + 2;
-               offset += (rsn_ie[offset] * 4) + 2;
-               memcpy(param->rsn_cap, &rsn_ie[offset], 2);
+               if (offset < rsn_ie_len) {
+                       /* skip over pairwise suites */
+                       offset += (rsn_ie[offset] * 4) + 2;
+
+                       if (offset < rsn_ie_len) {
+                               /* skip over authentication suites */
+                               offset += (rsn_ie[offset] * 4) + 2;
+
+                               if (offset + 1 < rsn_ie_len) {
+                                       param->mode_802_11i = 2;
+                                       param->rsn_found = true;
+                                       memcpy(param->rsn_cap, &rsn_ie[offset], 2);
+                               }
+                       }
+               }
        }
 
        if (param->rsn_found) {