commit
7388afe09143210f555bdd6c75035e9acc1fab96 upstream.
Enforce the first argument to be a correct type of a pointer to struct
element and avoid unnecessary typecasts from const to non-const pointers
(the change in validate_ie_attr() is needed to make this part work). In
addition, avoid signed/unsigned comparison within for_each_element() and
mark struct element packed just in case.
Mot-CRs-fixed: (CR)
CVE-Fixed: CVE-2019-16746
Bug:
145728612
Signed-off-by: Jouni Malinen <j@w1.fi>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jignesh Patel <jignesh@motorola.com>
Change-Id: If727423ab9539110c78487a2e38f118060122e06
Reviewed-on: https://gerrit.mot.com/
1681824
SLTApproved: Slta Waiver
SME-Granted: SME Approvals Granted
Tested-by: Jira Key
Reviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>
Submit-Approved: Jira Key
(cherry picked from commit
6f4e34bffb1d256cd6899814705859733de1c621)
u8 id;
u8 datalen;
u8 data[];
u8 id;
u8 datalen;
u8 data[];
/* element iteration helpers */
/* element iteration helpers */
-#define for_each_element(element, _data, _datalen) \
- for (element = (void *)(_data); \
- (u8 *)(_data) + (_datalen) - (u8 *)element >= \
- sizeof(*element) && \
- (u8 *)(_data) + (_datalen) - (u8 *)element >= \
- sizeof(*element) + element->datalen; \
- element = (void *)(element->data + element->datalen))
+#define for_each_element(_elem, _data, _datalen) \
+ for (_elem = (const struct element *)(_data); \
+ (const u8 *)(_data) + (_datalen) - (const u8 *)_elem >= \
+ (int)sizeof(*_elem) && \
+ (const u8 *)(_data) + (_datalen) - (const u8 *)_elem >= \
+ (int)sizeof(*_elem) + _elem->datalen; \
+ _elem = (const struct element *)(_elem->data + _elem->datalen))
#define for_each_element_id(element, _id, data, datalen) \
for_each_element(element, data, datalen) \
#define for_each_element_id(element, _id, data, datalen) \
for_each_element(element, data, datalen) \
static inline bool for_each_element_completed(const struct element *element,
const void *data, size_t datalen)
{
static inline bool for_each_element_completed(const struct element *element,
const void *data, size_t datalen)
{
- return (u8 *)element == (u8 *)data + datalen;
+ return (const u8 *)element == (const u8 *)data + datalen;
}
#endif /* LINUX_IEEE80211_H */
}
#endif /* LINUX_IEEE80211_H */