wifi: cfg80211: wext: add extra SIOCSIWSCAN data check

[ Upstream commit 6ef09cdc5ba0f93826c09d810c141a8d103a80fc ]

In 'cfg80211_wext_siwscan()', add extra check whether number of
channels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed
IW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.

Reported-by: syzbot+253cd2d2491df77c93ac@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=253cd2d2491df77c93ac
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Link: https://msgid.link/20240531032010.451295-1-dmantipov@yandex.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 0c0d54e40131d26b0857897ae9507f0f5e25821c..a811ad02e6d1ff40031e06919f8653b94e82586b 100644 (file)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -3411,10 +3411,14 @@ int cfg80211_wext_siwscan(struct net_device *dev,
        wiphy = &rdev->wiphy;
 
        /* Determine number of channels, needed to allocate creq */
-       if (wreq && wreq->num_channels)
+       if (wreq && wreq->num_channels) {
+               /* Passed from userspace so should be checked */
+               if (unlikely(wreq->num_channels > IW_MAX_FREQUENCIES))
+                       return -EINVAL;
                n_channels = wreq->num_channels;
-       else
+       } else {
                n_channels = ieee80211_get_num_supported_channels(wiphy);
+       }
 
        creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) +
                       n_channels * sizeof(void *),