wifi: cfg80211: wext: add extra SIOCSIWSCAN data check

In 'cfg80211_wext_siwscan()', add extra check whether number of
channels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed
IW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise.

Reported-by: syzbot+253cd2d2491df77c93ac@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=253cd2d2491df77c93ac
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Link: https://msgid.link/20240531032010.451295-1-dmantipov@yandex.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index d7485e26f4fc2bd5ee1f5f44f9228681e88acde3..0222ede0feb60b1bab05f12b6db3fdddafa101d3 100644 (file)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -3416,10 +3416,14 @@ int cfg80211_wext_siwscan(struct net_device *dev,
        wiphy = &rdev->wiphy;
 
        /* Determine number of channels, needed to allocate creq */
-       if (wreq && wreq->num_channels)
+       if (wreq && wreq->num_channels) {
+               /* Passed from userspace so should be checked */
+               if (unlikely(wreq->num_channels > IW_MAX_FREQUENCIES))
+                       return -EINVAL;
                n_channels = wreq->num_channels;
-       else
+       } else {
                n_channels = ieee80211_get_num_supported_channels(wiphy);
+       }
 
        creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) +
                       n_channels * sizeof(void *),