diff options
| author | David S. Miller <davem@davemloft.net> | 2017-10-09 12:52:55 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-10-09 12:52:55 -0400 |
| commit | 6df4d17c442f39137026bce387b0100eef8a25ba (patch) | |
| tree | 8e283a8d4ff7f4943723828b8f6b4ed0756e1f3b | |
| parent | 93b03193c6a579dbe5e19139d1ab47b70dbeeebd (diff) | |
| parent | ad670233c9e1d5feb365d870e30083ef1b889177 (diff) | |
Merge tag 'mac80211-for-davem-2017-10-09' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
Johannes Berg says:
====================
pull-request: mac80211 2017-10-09
The QCA folks found another netlink problem - we were missing validation
of some attributes. It's not super problematic since one can only read a
few bytes beyond the message (and that memory must exist), but here's the
fix for it.
I thought perhaps we can make nla_parse_nested() require a policy, but
given the two-stage validation/parsing in regular netlink that won't work.
Please pull and let me know if there's any problem.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/wireless/nl80211.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 690874293cfc..d396cb61a280 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c | |||
| @@ -549,6 +549,14 @@ nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = { | |||
| 549 | [NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED }, | 549 | [NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED }, |
| 550 | }; | 550 | }; |
| 551 | 551 | ||
| 552 | /* policy for packet pattern attributes */ | ||
| 553 | static const struct nla_policy | ||
| 554 | nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = { | ||
| 555 | [NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, }, | ||
| 556 | [NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, }, | ||
| 557 | [NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 }, | ||
| 558 | }; | ||
| 559 | |||
| 552 | static int nl80211_prepare_wdev_dump(struct sk_buff *skb, | 560 | static int nl80211_prepare_wdev_dump(struct sk_buff *skb, |
| 553 | struct netlink_callback *cb, | 561 | struct netlink_callback *cb, |
| 554 | struct cfg80211_registered_device **rdev, | 562 | struct cfg80211_registered_device **rdev, |
| @@ -10532,7 +10540,8 @@ static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info) | |||
| 10532 | u8 *mask_pat; | 10540 | u8 *mask_pat; |
| 10533 | 10541 | ||
| 10534 | nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat, | 10542 | nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat, |
| 10535 | NULL, info->extack); | 10543 | nl80211_packet_pattern_policy, |
| 10544 | info->extack); | ||
| 10536 | err = -EINVAL; | 10545 | err = -EINVAL; |
| 10537 | if (!pat_tb[NL80211_PKTPAT_MASK] || | 10546 | if (!pat_tb[NL80211_PKTPAT_MASK] || |
| 10538 | !pat_tb[NL80211_PKTPAT_PATTERN]) | 10547 | !pat_tb[NL80211_PKTPAT_PATTERN]) |
| @@ -10781,7 +10790,8 @@ static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev, | |||
| 10781 | rem) { | 10790 | rem) { |
| 10782 | u8 *mask_pat; | 10791 | u8 *mask_pat; |
| 10783 | 10792 | ||
| 10784 | nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat, NULL, NULL); | 10793 | nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat, |
| 10794 | nl80211_packet_pattern_policy, NULL); | ||
| 10785 | if (!pat_tb[NL80211_PKTPAT_MASK] || | 10795 | if (!pat_tb[NL80211_PKTPAT_MASK] || |
| 10786 | !pat_tb[NL80211_PKTPAT_PATTERN]) | 10796 | !pat_tb[NL80211_PKTPAT_PATTERN]) |
| 10787 | return -EINVAL; | 10797 | return -EINVAL; |