wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()

[ Upstream commit 62b635dcd69c4fde7ce1de4992d71420a37e51e3 ] If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would lead to memory corruption so add some bounds checking. Fixes: c38c70185101 ("wifi: cfg80211: Set SSID if it is not already set") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Link: https://patch.msgid.link/0aaaae4a3ed37c6252363c34ae4904b1604e8e32.1756456951.git.dan.carpenter@linaro.org Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Dan Carpenter <dan.carpenter@linaro.org> 2025-08-29 15:48:45 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-09-09 19:02:25 +0200
commit: 5cb7cab7adf9b1e6a99e2081b0e30e9e59d07523 (patch)
tree: 934ae21a0b08378e9cd45b35ebb2cf03a9f5f9f6
parent: d7d989786ad38ac3a538978418c28593a4e22df7 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index cf998500a965..05d06512983c 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -901,13 +901,16 @@ void __cfg80211_connect_result(struct net_device *dev,
 	if (!wdev->u.client.ssid_len) {
 		rcu_read_lock();
 		for_each_valid_link(cr, link) {
+			u32 ssid_len;
+
 			ssid = ieee80211_bss_get_elem(cr->links[link].bss,
 						      WLAN_EID_SSID);
 
 			if (!ssid || !ssid->datalen)
 				continue;
 
-			memcpy(wdev->u.client.ssid, ssid->data, ssid->datalen);
+			ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN);
+			memcpy(wdev->u.client.ssid, ssid->data, ssid_len);
 			wdev->u.client.ssid_len = ssid->datalen;
 			break;
 		}
author	Dan Carpenter <dan.carpenter@linaro.org>	2025-08-29 15:48:45 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-09-09 19:02:25 +0200
commit	5cb7cab7adf9b1e6a99e2081b0e30e9e59d07523 (patch)
tree	934ae21a0b08378e9cd45b35ebb2cf03a9f5f9f6
parent	d7d989786ad38ac3a538978418c28593a4e22df7 (diff)