aboutsummaryrefslogtreecommitdiffstats
path: root/net/wireless
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2010-08-30 06:24:54 -0400
committerJohn W. Linville <linville@tuxdriver.com>2010-08-30 16:35:17 -0400
commit42da2f948d949efd0111309f5827bf0298bcc9a4 (patch)
tree9bcf654ba27e198935a00e679c91181365ee37fa /net/wireless
parent9ef808048564928a83f3a52c65c5725688cf5cbe (diff)
wireless extensions: fix kernel heap content leak
Wireless extensions have an unfortunate, undocumented requirement which requires drivers to always fill iwp->length when returning a successful status. When a driver doesn't do this, it leads to a kernel heap content leak when userspace offers a larger buffer than would have been necessary. Arguably, this is a driver bug, as it should, if it returns 0, fill iwp->length, even if it separately indicated that the buffer contents was not valid. However, we can also at least avoid the memory content leak if the driver doesn't do this by setting the iwp length to max_tokens, which then reflects how big the buffer is that the driver may fill, regardless of how big the userspace buffer is. To illustrate the point, this patch also fixes a corresponding cfg80211 bug (since this requirement isn't documented nor was ever pointed out by anyone during code review, I don't trust all drivers nor all cfg80211 handlers to implement it correctly). Cc: stable@kernel.org [all the way back] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/wireless')
-rw-r--r--net/wireless/wext-compat.c3
-rw-r--r--net/wireless/wext-core.c16
2 files changed, 19 insertions, 0 deletions
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index bb5e0a5ecfa1..7e5c3a45f811 100644
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -1420,6 +1420,9 @@ int cfg80211_wext_giwessid(struct net_device *dev,
1420{ 1420{
1421 struct wireless_dev *wdev = dev->ieee80211_ptr; 1421 struct wireless_dev *wdev = dev->ieee80211_ptr;
1422 1422
1423 data->flags = 0;
1424 data->length = 0;
1425
1423 switch (wdev->iftype) { 1426 switch (wdev->iftype) {
1424 case NL80211_IFTYPE_ADHOC: 1427 case NL80211_IFTYPE_ADHOC:
1425 return cfg80211_ibss_wext_giwessid(dev, info, data, ssid); 1428 return cfg80211_ibss_wext_giwessid(dev, info, data, ssid);
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
index 0ef17bc42bac..8f5116f5af19 100644
--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@@ -782,6 +782,22 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
782 } 782 }
783 } 783 }
784 784
785 if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
786 /*
787 * If this is a GET, but not NOMAX, it means that the extra
788 * data is not bounded by userspace, but by max_tokens. Thus
789 * set the length to max_tokens. This matches the extra data
790 * allocation.
791 * The driver should fill it with the number of tokens it
792 * provided, and it may check iwp->length rather than having
793 * knowledge of max_tokens. If the driver doesn't change the
794 * iwp->length, this ioctl just copies back max_token tokens
795 * filled with zeroes. Hopefully the driver isn't claiming
796 * them to be valid data.
797 */
798 iwp->length = descr->max_tokens;
799 }
800
785 err = handler(dev, info, (union iwreq_data *) iwp, extra); 801 err = handler(dev, info, (union iwreq_data *) iwp, extra);
786 802
787 iwp->length += essid_compat; 803 iwp->length += essid_compat;